System Design Description (SyDD) — ISO/IEC/IEEE 15289 — Description | IEEE 29148 §6.5
Generated 2026-03-27 — UHT Journal / universalhex.org
flowchart TB n0["system<br>Remote Weapon Station (RWS)"] n1["subsystem<br>Electro-Optical Sensor Assembly (EOSA)"] n2["subsystem<br>Fire Control System (FCS)"] n3["subsystem<br>Turret Drive Assembly (TDA)"] n4["subsystem<br>Operator Control Unit (OCU)"] n5["subsystem<br>Safety Interlock System (SIS)"] n6["subsystem<br>Weapon and Ammo Handling (WAH)"] n7["subsystem<br>Power Distribution Unit (PDU)"] n8["subsystem<br>Communications Interface Unit (CIU)"] n1 -->|Sensor video, target data| n2 n2 -->|Servo commands, pointing| n3 n2 -->|Fire request, arm status| n5 n5 -->|Fire enable/inhibit| n6 n5 -->|Drive enable, brake cmd| n3 n4 -->|Operator commands| n2 n2 -->|Display data, video| n4 n4 -->|E-STOP, arm/safe| n5 n7 -.->|28V/12V/5V power| n1 n7 -.->|12V/5V power| n2 n7 -.->|28V drive power| n3 n8 -->|GPS, BMS target data| n2 n2 -->|Video export, status| n8
Remote Weapon Station (RWS) — Decomposition
| Subsystem | Diagram | SIL | Status |
|---|---|---|---|
| Electro-Optical Sensor Assembly | SIL 2 | complete | |
| Fire Control System | SIL 3 | complete | |
| Turret Drive Assembly | SIL 2 | complete | |
| Operator Control Unit | — | complete | |
| Safety Interlock System | SIL 3 | complete | |
| Weapon and Ammunition Handling Assembly | SIL 2 | complete | |
| Power Distribution Unit | SIL 3 | complete | |
| Communications Interface Unit | — | complete |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQ-001 | The Dual-Channel Safety Controller SHALL implement a 1oo2D (one-out-of-two with diagnostics) redundant channel architecture with independent processing paths and cross-channel data comparison, achieving a Probability of Failure on Demand (PFD) not greater than 1×10⁻⁴ per hour. Rationale: IEC 61508 (Functional safety of E/E/PE safety-related systems) Part 2 requires quantitative verification of PFD for SIL 3 architectures. The 1oo2D architecture claim is verified by FMEDA (Failure Modes Effects and Diagnostic Analysis) test per IEC 61508-6 Annex B, producing a documented PFD calculation with all failure rate and diagnostic coverage inputs traceable to certified component datasheets. This constitutes a Test verification because the FMEDA produces quantitative pass/fail evidence against the SIL 3 PFD threshold of 1e-4/hr. | Test | subsystem, safety-interlock-system, sil-3, safety, session-618, idempotency:sub-dsc-1oo2d-618 |
| SUB-REQ-002 | The Dual-Channel Safety Controller SHALL transition to ARMED state only when the Arming Key Switch Assembly asserts key-armed status AND an operator ARM command has been received from the Operator Control Unit, with both inputs present simultaneously within a 2-second coincidence window, and SHALL revert to SAFE state if the window expires without both inputs being present. Rationale: SYS-REQ-007 mandates a two-action arming sequence. The 2-second coincidence window prevents accidental arming from delayed inputs while remaining operationally practical (crew can key-and-arm in under 2 seconds). Expiry revert prevents leaving the system half-armed if the operator is interrupted. | Test | subsystem, safety-interlock-system, sil-3, safety, session-618, idempotency:sub-dsc-two-action-arm-618 |
| SUB-REQ-003 | The Hardware Firing Interlock Relay SHALL be a normally-open, fail-safe electromechanical relay installed in series with the weapon firing solenoid, energised only when both the Dual-Channel Safety Controller asserts fire-enable AND the Arming Key Switch Assembly is in ARMED position via a separate hardwired circuit, such that any single software failure cannot cause weapon discharge. Rationale: SYS-REQ-008 requires hardware diversity from fire control software. A normally-open relay fails safe (weapon cannot fire) on de-energisation. The AND-gate of two independent inputs (controller + key) ensures neither a software fault alone nor an inadvertent key turn alone can cause discharge. This is the primary SIL-3 firing barrier. | Test | subsystem, safety-interlock-system, sil-3, safety, session-618, idempotency:sub-hfi-independence-618 |
| SUB-REQ-004 | The Hardware Firing Interlock Relay SHALL de-energise and open the firing solenoid circuit within 10ms of the Dual-Channel Safety Controller withdrawing the fire-enable signal. Rationale: A 10ms de-energise latency ensures the firing circuit opens before the next possible trigger pulse at maximum weapon cyclic rate (1200 RPM = 50ms between rounds). This provides a minimum 5x margin. Exceeding 50ms risks firing an unintended round after a safe state command. | Test | subsystem, safety-interlock-system, sil-3, safety, session-618, idempotency:sub-hfi-response-618 |
| SUB-REQ-005 | The E-stop and Link Watchdog Module SHALL assert a safe-state trigger signal to the Dual-Channel Safety Controller within 200ms of the last valid operator control link heartbeat being received, and SHALL maintain that signal asserted until a valid heartbeat sequence is re-established. Rationale: SYS-REQ-009 mandates a 500ms total safe-state response to link loss, of which the watchdog module must trigger within 200ms to allow 200ms for the controller to process and a further 100ms margin. A hardware watchdog (not software) ensures the timer operates even during a software hang on the controller. | Test | subsystem, safety-interlock-system, sil-2, safety, session-618, idempotency:sub-ewd-link-watchdog-618 |
| SUB-REQ-006 | When Emergency Stop is activated, the Safe State Output Driver SHALL de-energise all actuator outputs (both axis brake solenoids and weapon firing inhibit relay coil) within 50ms of the E-stop and Link Watchdog Module asserting the safe-state trigger signal. Rationale: SYS-REQ-010 requires E-stop response with brakes engaged. The 50ms budget covers: 10ms E-stop module assert + 20ms controller processing + 20ms relay driver response. Brake engagement within 50ms limits turret coast-down to <2° at maximum slew rate of 60°/s, keeping weapon within the commanded safe zone. | Test | subsystem, safety-interlock-system, sil-2, safety, session-618, idempotency:sub-ssod-estop-response-618 |
| SUB-REQ-007 | While the Arming Key Switch Assembly is in MAINTENANCE-LOCKOUT position, the Safety Interlock System SHALL prevent transition to ARMED state regardless of operator control unit commands, and SHALL assert the firing inhibit and brake-engaged outputs in their safe state. Rationale: STK-REQ-009 mandates lockout-tagout enforcement during maintenance. The physical key switch in MAINTENANCE-LOCKOUT position provides a reliable, operator-controlled barrier that cannot be overridden by software commands — satisfying the lockout-tagout principle that the energy isolation device must be under the control of the person at risk. | Test | subsystem, safety-interlock-system, sil-3, safety, session-618, idempotency:sub-sis-maintenance-lockout-618 |
| SUB-REQ-008 | When the Dual-Channel Safety Controller detects a fault via cross-channel comparison, internal diagnostic monitor, or output verification loop, the Safety Interlock System SHALL transition to the safe state (firing inhibited, brakes engaged) within 100ms of fault detection and SHALL latch in safe state until a deliberate operator reset sequence. Rationale: IEC 61508 SIL 3 requires automatic transition to safe state on fault detection. The 100ms budget (10ms detect + 50ms processing + 40ms output) ensures the safe state is reached before a firing cycle can complete. Latching prevents inadvertent re-arming due to transient faults; deliberate reset ensures an operator has positively accepted the safety state change. | Test | subsystem, safety-interlock-system, sil-3, safety, session-618, idempotency:sub-sis-fault-safe-state-618 |
| SUB-REQ-009 | The Safety Interlock System SHALL operate from a 28VDC (22–32V nominal range) supply provided by the Power Distribution Unit, with maximum power consumption not exceeding 50W during peak diagnostic cycle, and SHALL maintain correct safety function operation during supply voltage transients in the range 16–40VDC per MIL-STD-704 (Aircraft Electric Power Characteristics) transient profile. Rationale: Power supply requirements are mandatory for any classified-Powered subsystem to confirm operation across vehicle bus voltage range (28VDC nominal, 22–32V steady-state per MIL-STD-1275 heavy vehicle power). 50W peak budget is derived from dual-channel processor (2×10W), relay drivers (3×5W), and monitoring circuits (10W margin). MIL-STD-704 transient profile is the applicable standard for military ground vehicles. | Test | subsystem, safety-interlock-system, power, session-618, idempotency:sub-sis-power-618 |
| SUB-REQ-010 | The Turret Drive Assembly SHALL receive 28VDC power (20–32V operating range per MIL-STD-1275E) from the vehicle Power Distribution Unit, with maximum continuous draw not exceeding 400W during simultaneous high-rate azimuth and elevation slewing, and peak instantaneous draw not exceeding 800W during acceleration from rest to maximum slew rate. Rationale: TDA is a high-power Powered component (DEF51018). The 400W continuous and 800W peak budgets are derived from motor sizing for a 40°/s maximum slew rate under 25kN recoil loading (SYS-REQ-014). MIL-STD-1275E voltage range ensures compatibility with vehicle power bus under transient conditions. | Test | session-619, qc, turret-drive-assembly, power, idempotency:sub-tda-power-619 |
| SUB-REQ-011 | The Fire Control System SHALL receive 28VDC power (20–32V operating range per MIL-STD-1275E) from the vehicle Power Distribution Unit, with maximum continuous draw not exceeding 150W during full-rate sensor fusion, ballistic computation, and servo command generation, and SHALL maintain correct operation during supply interruptions of up to 50ms. Rationale: FCS is a high-criticality Powered component (55F7725D). 150W budget covers dual-processor compute load for sensor fusion and ballistic computation. The 50ms supply interruption tolerance addresses vehicle power bus switching transients that could otherwise cause a false-safe-state assertion during normal manoeuvrability. | Test | session-619, qc, fire-control-system, power, idempotency:sub-fcs-power-619 |
| SUB-REQ-012 | The Electro-Optical Sensor Assembly SHALL receive 28VDC power (20–32V operating range per MIL-STD-1275E) from the vehicle Power Distribution Unit, with maximum continuous draw not exceeding 80W for simultaneous EO camera and thermal imager operation, and SHALL maintain calibrated imaging performance during supply voltage variations throughout the operating range. Rationale: EOSA is a Powered Physical Object (D6C51018) containing thermally-sensitive detector arrays. The 80W budget covers IR detector cooling (Stirling or thermoelectric), EO camera electronics, and image processing. Supply voltage variation test confirms the voltage regulation feeding detector bias circuits maintains calibration, which is critical for the 0.3 mrad IFOV required by SYS-REQ-004. | Test | session-619, qc, electro-optical-sensor-assembly, power, idempotency:sub-eosa-power-619 |
| SUB-REQ-013 | The Fire Control Computer SHALL execute the pointing error closed-loop at not less than 50Hz, producing azimuth and elevation demands to the Turret Drive Assembly within 20ms of each Track data input. Rationale: SYS-REQ-006 requires automatic tracking error ≤0.5 mrad RMS. Achieving this against a 10m/s target at 1000m range requires the pointing loop to run at ≥50Hz; at lower rates, control latency allows tracking error to exceed 0.5 mrad during dynamic manoeuvre. 20ms latency matches the TDA servo bandwidth of 50Hz. | Test | subsystem, fire-control-system, sil-2, session-620, idempotency:sub-fcc-loop-rate-620 |
| SUB-REQ-014 | The Target Tracking Processor SHALL maintain auto-track on a target with a minimum IR contrast of 0.5K with a track error not exceeding 0.2 mrad RMS at update rates of 50Hz over a track duration of not less than 10 seconds without operator intervention. Rationale: SYS-REQ-006 requires overall tracking error ≤0.5 mrad RMS. TTP track error budget is 0.2 mrad to leave margin for servo pointing error. 0.5K contrast threshold derived from sensor characterisation at SYS-REQ-004 NETD of ≤50mK. 50Hz update rate is the EOSA video rate. | Test | subsystem, fire-control-system, sil-2, session-620, idempotency:sub-ttp-track-accuracy-620 |
| SUB-REQ-015 | The Ballistic Computation Module SHALL complete a new fire solution within 20ms of receiving an updated laser rangefinder range measurement, accounting for target velocity from the Target Tracking Processor, platform inertial data from the IMU, and stored ammunition ballistic coefficients. Rationale: SYS-REQ-002 allocates an 8-second engagement window. Within this, the operator must designate, the LRF must range, and the FCS must compute and settle before firing. 20ms BCM latency is the allocated budget within the overall engagement timeline. Failure to meet this means the weapon is fired on a stale ballistic solution, reducing first-round hit probability below SYS-REQ-001 threshold of p≥0.7. | Test | subsystem, fire-control-system, sil-2, session-620, idempotency:sub-bcm-latency-620 |
| SUB-REQ-016 | The Weapon Control Interface SHALL activate the weapon trigger solenoid within 5ms of receiving a FIRE command from the Fire Control Computer, and shall de-activate within 2ms of receiving a CEASE command. Rationale: SYS-REQ-002 requires engagement within 8 seconds; weapon actuation latency is the last element in the chain. 5ms activation latency is the maximum compatible with the fire control timing model. 2ms cease latency is required to ensure burst-length control: at 600 rounds/min, 2ms corresponds to 0.02 rounds over-fire, which is within weapon tolerance. | Test | subsystem, fire-control-system, sil-2, session-620, idempotency:sub-wci-fire-latency-620 |
| SUB-REQ-017 | When the Safety Interlock System asserts the SAFE_STATE signal, the Fire Control System SHALL immediately issue a CEASE command to the Weapon Control Interface, clear all pending FIRE commands, and inhibit further FIRE commands until an explicit RE-ARM sequence is completed. Rationale: H-003 (unintended weapon discharge) drives SIL 2 requirement on the FCS to respond to the SIS SAFE_STATE assertion. The FCS must not be capable of overriding or ignoring the SIS safe-state command; clearing pending FIRE commands prevents latent firing after the interlock condition clears. This is a complementary software control layer to the hardware interlock in SUB-REQ-003. | Test | subsystem, fire-control-system, sil-2, safety, session-620, idempotency:sub-fcs-sis-safing-620 |
| SUB-REQ-018 | While operating in Degraded Mode with the thermal imaging channel failed, the Fire Control System SHALL maintain automatic target tracking using the day-channel video feed at a minimum track update rate of 25Hz and shall achieve a first-round hit probability of not less than 0.5 against a stationary 2m x 2m target at 800m range. Rationale: SYS-REQ-011 requires degraded engagement capability when the thermal imager fails. Day-channel minimum 25Hz is half the dual-channel rate; performance reduction from p≥0.7 to p≥0.5 is accepted as a degraded-mode threshold. 800m range reduction from 1000m reflects that day-channel detection at IFOV of SYS-REQ-004 is less reliable in degraded light conditions. | Test | subsystem, fire-control-system, sil-2, degraded, session-620, idempotency:sub-fcs-degraded-mode-620 |
| SUB-REQ-019 | The Fire Control System SHALL complete Built-In Test of all safety-interlocked functions, including Weapon Control Interface continuity, Target Tracking Processor frame acquisition, and Ballistic Computation Module data integrity, within 45 seconds of power application. Rationale: SYS-REQ-012 requires full system BIT within 60 seconds. The FCS BIT is allocated 45 seconds (75% of system BIT budget) because it must sequence through SIS handshake, TTP initialisation, and BCM data validation. The remaining 15 seconds covers other subsystems. BIT failures must be reported via operator HMI within this window. | Test | subsystem, fire-control-system, session-620, idempotency:sub-fcs-bit-time-620 |
| SUB-REQ-021 | The Fire Control Computer SHALL operate within a 28VDC supply rail (20–32V operating range per MIL-STD-1275E) with a maximum steady-state current draw of 8A and a maximum peak surge of 15A for not more than 50ms at power-on. Rationale: Lint finding: FCC classified Powered with no power requirements. FCC supply is from PDU 28VDC rail. 8A steady-state at 220W includes FCC processor, TTP video board, and WCI module in worst-case operating condition. 15A peak surge accommodates capacitor inrush at power-on without tripping PDU branch circuit protection. | Test | subsystem, fire-control-system, power, session-620, idempotency:sub-fcc-power-620 |
| SUB-REQ-022 | The Weapon Cradle and Mount SHALL withstand a peak recoil load of 25kN from sustained burst fire without permanent deformation of mounting interfaces or loss of weapon alignment exceeding 0.5 mrad. Rationale: Derived from SYS-REQ-014. A 25kN recoil load corresponds to .50 cal M2HB sustained fire with a cyclic rate of 450-600 rpm. The 0.5 mrad alignment criterion ensures bore line is maintained within the ballistic solution error budget after a burst — permanent misalignment would degrade first-round hit probability below the SYS-REQ-001 threshold. | Test | subsystem, weapon-and-ammunition-handling, sil-2, session-621, idempotency:sub-wcm-recoil-load-621 |
| SUB-REQ-023 | The Recoil Buffer and Damping System SHALL attenuate peak recoil force from 25kN weapon output to not more than 5kN transmitted to the turret structure, measured at the cradle-to-turret interface, across the temperature range -40°C to +70°C. Rationale: The 5kN transmitted force ceiling is derived from turret structural mass budget: 25kN without attenuation would require approximately 40% heavier turret structure to maintain fatigue life. The temperature range requirement ensures hydraulic fluid viscosity variation does not compromise damping performance in arctic or desert environments. | Test | subsystem, weapon-and-ammunition-handling, sil-2, session-621, idempotency:sub-rbd-attenuation-621 |
| SUB-REQ-024 | The Barrel Change Mechanism SHALL enable a single maintainer to remove a hot barrel and install a replacement barrel within 30 seconds, using no tools, with the turret in any azimuth position and elevation within -10° to +10°. Rationale: Derived from SYS-REQ-015. The 30-second criterion reflects operational doctrine for sustained fire support missions where barrel life at maximum cyclic rate is approximately 150 rounds. The tool-free, single-maintainer constraint is required because the operator station is remote — there is no second crew member positioned at the weapon. | Demonstration | subsystem, weapon-and-ammunition-handling, sil-2, session-621, idempotency:sub-bcm-change-time-621 |
| SUB-REQ-025 | When the Barrel Change Mechanism barrel retention sensor reads UNLOCKED, the Weapon and Ammunition Handling Assembly SHALL assert a BARREL-NOT-LOCKED signal to the Safety Interlock System within 50ms, preventing weapon firing until positive lock is confirmed. Rationale: Derived from SYS-REQ-008 (hardware firing interlock independent of software). An unlocked barrel can fly off during firing, creating a projectile hazard and destroying the weapon. The 50ms detection latency ensures the SIS can inhibit a fire command before the first round is chambered even if the barrel is accidentally released during a firing cycle. | Test | subsystem, weapon-and-ammunition-handling, sil-2, safety, session-621, idempotency:sub-bcm-barrel-lock-safety-621 |
| SUB-REQ-026 | The Turret Drive Assembly SHALL achieve a weapon pointing accuracy of 0.1 mrad RMS under all combinations of vehicle velocity up to 30 km/h on cross-country terrain (30 mrad/s platform motion) and target range up to 1500m. Rationale: Derived from SYS-REQ-001 (first-round hit probability ≥70% at 800m). The 0.1 mrad pointing accuracy is the TDA allocation of the overall 0.3 mrad system accuracy budget — the remaining 0.2 mrad is allocated to FCS ballistic computation and atmospheric correction. At 1500m, 0.1 mrad = 150mm pointing error, within the acceptable zone for 7.62mm suppression fire. | Test | subsystem, turret-drive-assembly, sil-2, session-621, idempotency:sub-tda-pointing-accuracy-621 |
| SUB-REQ-027 | When the Safety Interlock System asserts DRIVE-INHIBIT, the Turret Drive Assembly SHALL cease all azimuth and elevation motion within 200ms, applying both axis brakes, and SHALL NOT resume motion until DRIVE-INHIBIT is de-asserted and a RESUME command is received from the Fire Control Computer. Rationale: Derived from SYS-REQ-010 (E-stop de-energises all actuators within 200ms). The 200ms budget for TDA is the same as the system-level E-stop budget — turret motion must stop within the overall response window since uncommanded turret traverse is a SIL 2 hazard. The RESUME handshake prevents automatic restart after an E-stop. | Test | subsystem, turret-drive-assembly, sil-2, safety, session-621, idempotency:sub-tda-drive-inhibit-621 |
| SUB-REQ-028 | The Azimuth Drive Motor and Gearbox SHALL provide continuous 360° azimuth rotation at slew rates from 0.1°/s to 60°/s, with a maximum angular acceleration of 30°/s² and no mechanical stop or dead zone in the traverse arc. Rationale: Derived from SYS-REQ-003 (continuous 360° azimuth traverse). Continuous rotation without dead zone is essential for engagement of threats at any bearing relative to vehicle heading. The 60°/s maximum slew rate corresponds to tracking a target at 500m range moving at 50 km/h — exceeding this would require oversized motors with no tactical benefit. | Test | subsystem, turret-drive-assembly, sil-2, session-621, idempotency:sub-tda-azimuth-range-621 |
| SUB-REQ-029 | The Thermal Imaging Camera SHALL provide a minimum instantaneous field of view (IFOV) of 0.3 mrad in the narrow field of view (NFOV) channel, enabling detection of a 0.5m² target at a range of not less than 3 km in STANAG 4347 standard atmosphere conditions. Rationale: Derived from SYS-REQ-004 (0.3 mrad minimum day-channel imaging). The thermal channel must match the day channel IFOV to maintain targeting consistency when switching between channels. The 3 km detection criterion at STANAG 4347 conditions ensures tactical relevance for vehicle protection scenarios. | Test | subsystem, electro-optical-sensor-assembly, sil-2, session-621, idempotency:sub-tic-ifov-621 |
| SUB-REQ-030 | The Laser Rangefinder SHALL measure target range to an accuracy of ±5m (1-sigma) across ranges from 200m to 4000m, and SHALL be classified as eye-safe (Class 1M or better per IEC 60825-1) under all operating conditions. Rationale: Derived from SYS-REQ-005 (LRF range accuracy ±5m). Eye-safe classification is a non-negotiable operational constraint — ground forces frequently operate without laser protection, so any LRF on an RWS must meet IEC 60825-1 Class 1M at the most exposed range to avoid fratricide by laser exposure. | Test | subsystem, electro-optical-sensor-assembly, sil-2, session-621, idempotency:sub-lrf-accuracy-621 |
| SUB-REQ-031 | While the Thermal Imaging Camera is in FAILED state, the Electro-Optical Sensor Assembly SHALL maintain Daylight Television Camera and Laser Rangefinder operation with no degradation in day-channel IFOV or LRF ranging accuracy, providing the FCS with day-channel video and range data enabling not less than 0.7 first-round hit probability per SYS-REQ-001 in daylight conditions. Rationale: Derived from SYS-REQ-011 (degraded operation with thermal imager failed). The EOSA electrical and mechanical architecture must ensure thermal imager failure cannot cascade to the day channel or LRF — independent power rail and independent video path are required to achieve this degraded-mode capability. | Test | subsystem, electro-optical-sensor-assembly, sil-2, session-621, idempotency:sub-eosa-degraded-621 |
| SUB-REQ-032 | The Operator Display Unit SHALL display sensor video from the Fire Control Computer with an end-to-end display latency not exceeding 100ms from FCC frame output to screen pixel update, at full resolution with overlay graphics. Rationale: 100ms end-to-end display latency is the operator-perceptible threshold for manual target tracking in stabilised weapon systems, established by NATO STANAG 4586 Edition 4 (UAS OCU interoperability) and confirmed by DEF STAN 00-250 Part 2 (Human Factors for Defence Systems) Section 3.4 display update latency guidance. Above 100ms the gunner perceives a 'laggy' display that introduces aim-point error during manual tracking. At the maximum manual tracking rate of 5°/s, a 100ms latency represents 0.5° of display lag — at the boundary of perceptible tracking degradation. The 100ms budget is the ODU allocation within the FCC-to-screen path; the remaining latency is allocated to the FCC video processing pipeline (documented in IFC-REQ between FCC and ODU). The value has heritage in fielded RWS programmes including systems using similar COTS display processors. | Test | subsystem, operator-control-unit, session-621, idempotency:sub-odu-latency-621, red-team-session-640, reqs-eng-session-641 |
| SUB-REQ-033 | The Gunner Hand Controller SHALL transmit azimuth and elevation slew commands at 100Hz with an input-to-output latency not exceeding 10ms from physical joystick deflection to FCC-received USB HID report, across the full operating temperature range of -40°C to +70°C. Rationale: 100Hz (10ms period) command rate matches the TDC (Turret Drive Controller) inner control loop rate per IEC 61800-7 (Common interface for power drive systems) motion command cycle requirements. The 10ms input-to-output latency is achievable with USB HID configured at 1ms polling interval (USB 2.0 High Speed interrupt endpoint, bInterval=1) giving 1ms USB transfer + <5ms ADC/FPGA processing + <2ms USB host stack delivery = 8ms typical worst-case. This is confirmed by DO-178C (Software Considerations in Airborne Systems) heritage for high-rate joystick interfaces. At 60°/s maximum manual slew rate, 10ms represents 0.6° of untracked motion — within the 1 mil tracking accuracy requirement. The -40°C to +70°C range applies because USB crystal oscillator drift and capacitor ESR changes can increase USB transfer timing on unheated vehicle platforms; the requirement mandates the 100Hz/10ms budget must hold across the full temperature envelope, requiring qualification testing per MIL-STD-810H (Environmental Engineering Considerations and Laboratory Tests) Method 502.6 (Low Temperature). | Test | subsystem, operator-control-unit, session-621, idempotency:sub-ghc-latency-621, red-team-session-640, reqs-eng-session-641 |
| SUB-REQ-034 | The Tactical Data Link Processor SHALL encode and transmit MIL-STD-6016 (STANAG 5516) position reports at a minimum rate of 1 Hz and decode received tactical messages with an end-to-end processing latency not exceeding 50ms. Rationale: SYS-REQ-013 requires 1Hz position reporting to the BMS. The 50ms processing latency budget is derived from the 200ms end-to-end engagement message latency in IFC-REQ-006, with 50ms allocated to protocol processing, leaving 150ms for network transmission and BMS processing. | Test | subsystem, communications-interface-unit, session-622, idempotency:sub-tdp-datalink-throughput-622 |
| SUB-REQ-035 | The Video Compression and Network Interface Module SHALL compress daylight and thermal video channels to H.264 at a configurable bitrate of 2 to 8 Mbps and deliver RTP streams over GigabitEthernet to the BMS at a minimum frame rate of 15 fps per channel without frame drops exceeding 1% over any 10-second window. Rationale: SYS-REQ-013 and IFC-REQ-006 specify 15fps video to the BMS. The 2-8Mbps range accommodates varying network bandwidth. The 1% frame drop limit is derived from military imaging standards for surveillance video — higher drop rates degrade target identification confidence. | Test | subsystem, communications-interface-unit, session-622, idempotency:sub-vcni-video-compression-622 |
| SUB-REQ-036 | The CAN Bus and Serial Protocol Gateway SHALL receive and republish CAN bus (ISO 11898, 500 kbps) vehicle status messages to the internal RWS Ethernet network with a message latency not exceeding 5ms, and distribute GPS position data from the RS-422 input at 10 Hz to the Fire Control System and Tactical Data Link Processor. Rationale: IFC-REQ-003 requires CAN bus communication at <10ms total latency; the gateway must contribute no more than 5ms of that budget. IFC-REQ-004 requires GPS data at 10Hz. The gateway is the single point of ingress for vehicle network data, preventing direct CAN access by safety-critical subsystems. | Test | subsystem, communications-interface-unit, session-622, idempotency:sub-cpg-vehicle-data-dist-622 |
| SUB-REQ-037 | The EMC Filter and Surge Protection Assembly SHALL suppress conducted emissions on the CIU 28VDC supply line to comply with MIL-STD-461G (Electromagnetic Interference Characteristics Requirements for Equipment and Subsystems) CE101 and CE102 limits, and shall protect all external signal interfaces against ESD transients up to 15kV (IEC 61000-4-2 Level 4). Rationale: SYS-REQ-017 mandates MIL-STD-461G (Requirements for the Control of Electromagnetic Interference Characteristics of Subsystems and Equipment) RE102/RS103 compliance. EMC filtering at the Communications Interface Unit (CIU) boundary prevents the data link processor and video compression hardware (high-frequency switching sources) from coupling emissions onto the vehicle power bus or injecting interference into adjacent electronics. | Test | subsystem, communications-interface-unit, session-622, idempotency:sub-emc-filter-assembly-622, tech-author-session-643 |
| SUB-REQ-038 | The Power Distribution Unit SHALL accept an input voltage in the range 18VDC to 32VDC (per MIL-STD-1275E) at a continuous rated current of 72A and a peak current of 125A for up to 500ms without thermal shutdown or output voltage deviation exceeding 5% on any load rail. Rationale: IFC-REQ-002 defines the system power input at 2kW continuous and 3.5kW peak. At 28VDC nominal, this corresponds to 72A continuous and 125A peak. The 18-32V range per MIL-STD-1275E (Power, DC, Vehicles and Vehicular Equipment) covers generator, alternator, and battery conditions on military platforms. | Test | subsystem, power-distribution-unit, session-622, idempotency:sub-pdu-input-voltage-range-622 |
| SUB-REQ-039 | The Power Distribution and Protection Module SHALL implement independent solid-state power controllers for each subsystem load with electronically adjustable overcurrent trip thresholds and shall isolate any faulted load within 10ms of fault detection without interrupting power to other subsystem loads. Rationale: A single faulted subsystem (e.g., TDA motor controller short circuit) must not cascade to disable other subsystems including the Safety Interlock System. The 10ms trip time is derived from the SIS watchdog period of 100ms in SUB-REQ-005 — load isolation must complete before watchdog expiry to prevent false safe-state triggering. | Test | subsystem, power-distribution-unit, session-622, idempotency:sub-pdu-sspc-isolation-622 |
| SUB-REQ-040 | The DC-DC Converter Array SHALL provide regulated output rails at 12VDC ±2%, 5VDC ±2%, and 3.3VDC ±2% with output ripple not exceeding 50mV peak-to-peak and shall maintain regulation within specification over the full input voltage range of 18-32VDC at rated load. Rationale: Sensor and camera modules (EOSA) require stable 12VDC supply; FPGA and digital processing modules require 5V/3.3V. The ±2% tolerance is the maximum permitted for MIL-grade components per their operating datasheets. 50mV ripple is standard for military electronics power quality. | Test | subsystem, power-distribution-unit, session-622, idempotency:sub-pdu-dcdc-regulation-622 |
| SUB-REQ-041 | The Power Monitor and Control Unit SHALL sample voltage and current on each subsystem supply branch at a minimum rate of 10 Hz and transmit power telemetry to the Fire Control Computer via RS-422 within 100ms of any supply rail deviation exceeding 5% from nominal. Rationale: The FCS requires power status to implement graceful load shedding under peak demand and to log faults for maintenance diagnostics. 10 Hz sampling is derived from MIL-STD-1275E (Characteristics of 28 VDC Electrical Systems in Military Vehicles) transient characterisation: voltage dropouts and load-regulation events in vehicle 24/28V systems have rise times of 10-50ms, requiring at least 5 Hz to detect; 10 Hz provides 2x margin at minimal RS-422 bus bandwidth cost (10 samples/s × 8 channel × 2 bytes = 160 bytes/s vs RS-422 bandwidth of 1 Mbit/s). The 100ms reporting latency supports SYS-REQ-012 BIT detection within the system self-test window (500ms BIT cycle), ensuring power fault data is current when BIT evaluates subsystem health. The 5% deviation threshold corresponds to MIL-STD-1275E steady-state voltage regulation tolerance for 24V vehicle bus, making any exceedance actionable rather than noise. | Test | subsystem, power-distribution-unit, session-622, idempotency:sub-pdu-pmcu-telemetry-622, red-team-session-640, reqs-eng-session-641 |
| SUB-REQ-042 | The Dual-Channel Safety Controller SHALL operate from a 28VDC supply (22–32V operating range per MIL-STD-1275E), with a maximum steady-state current draw of 500mA per channel and a maximum total inrush current of 2A for no more than 20ms at power-on. Rationale: The DCSC is a SIL-3 safety function powered from the vehicle 28VDC bus. Per MIL-STD-1275E, the bus can vary 22–32V under transient conditions; the DCSC must tolerate this range without false safe-state assertion. The 500mA/channel limit is derived from the SIS power budget (SUB-REQ-009) allocated across five SIS components. Inrush limit protects vehicle protection devices. | Test | subsystem, safety-interlock-system, sil-3, session-623, idempotency:sub-dcsc-power-623 |
| SUB-REQ-043 | The Hardware Firing Interlock Relay SHALL be energised from 24VDC (18–30V operating range), draw a coil current not exceeding 200mA in the energised state, and have a maximum operate time of 10ms and a release time of 5ms when de-energised by the Dual-Channel Safety Controller. Rationale: The HFIR coil voltage range reflects realistic vehicle bus variation; the 200mA limit is derived from SIS power budget (SUB-REQ-009) and relay type selection for the weapon firing circuit load. The 10ms/5ms operate/release times are required to ensure the relay de-energises (opens the firing circuit) faster than a single burst cycle to prevent unintended round discharge. | Test | subsystem, safety-interlock-system, sil-3, session-623, idempotency:sub-hfir-power-623 |
| SUB-REQ-044 | The Elevation Drive Motor and Gearbox SHALL provide weapon elevation coverage from -20° (depression) to +60° (elevation) at a slew rate of not less than 30°/s under maximum weapon load. Rationale: SYS-REQ-003 mandates -20°/+60° elevation coverage; decomposed to TDA because the elevation drive mechanism physically implements this range. The 30°/s slew rate matches the azimuth requirement to maintain symmetric engagement geometry. Missing this requirement would leave the elevation axis unspecified in the TDA. | Test | subsystem, turret-drive-assembly, sil-2, session-624, idempotency:sub-tda-elevation-range-624 |
| SUB-REQ-045 | The Day Camera SHALL provide visible-band imaging at a minimum resolution of 0.3 mrad/pixel and a minimum frame rate of 25 frames per second, with a continuous optical zoom ratio of not less than 20:1. Rationale: SYS-REQ-004 specifies 0.3 mrad minimum resolution for day-channel imaging; this requirement decomposes that performance allocation to the Day Camera imager within EOSA. The 25 fps floor is needed for smooth tracking loop performance in the FCS. Without an explicit camera specification, the EOSA could not be procured or tested against system requirements. | Test | subsystem, electro-optical-sensor-assembly, sil-2, session-624, idempotency:sub-eosa-day-camera-624 |
| SUB-REQ-046 | The Fire Control System SHALL achieve a Mean Time Between Critical Failures (MTBCF) of not less than 500 hours in the field operational environment as defined by MIL-STD-810H Method 514 (Vibration). Rationale: MTBCF for a system of this complexity cannot be measured directly by accelerated test within programme timelines. Per DEF STAN 00-56 (Safety management requirements for defence systems) and reliability prediction standards, MTBCF is demonstrated via: (1) Monte Carlo reliability prediction from component failure rate data (MIL-HDBK-217), (2) accumulation of field hours data from qualification and acceptance testing, and (3) field reliability tracking from service introduction. The Demonstration method reflects evidence-based reliability assessment rather than laboratory testing. | Demonstration | subsystem, fire-control-system, sil-2, reliability, session-624, idempotency:sub-fcs-mtbcf-624 |
| SUB-REQ-047 | The Weapon and Ammunition Handling Assembly SHALL enable replacement of the weapon barrel and clearing of a round jam within a Mean Time To Repair (MTTR) of not more than 30 minutes by a two-person team using standard military tool sets. Rationale: SYS-REQ-015 and SYS-REQ-016 collectively drive the maintainability requirement; the WAHA is the subsystem with the highest-frequency scheduled maintenance activities (barrel changes, jam clearance). The 30-minute MTTR ceiling is derived from field doctrine requirements for sustained fire support operations, where extended downtime degrades mission capability. | Demonstration | subsystem, weapon-and-ammunition-handling, sil-2, maintainability, session-624, idempotency:sub-waha-mttr-624 |
| SUB-REQ-048 | The Fire Control Computer SHALL execute an automated boresight verification routine at system power-on and on operator demand, comparing the weapon axis alignment to the EOSA optical axis to within 0.5 mrad, and SHALL inhibit weapon firing if misalignment exceeds 1.0 mrad. Rationale: SYS-REQ-015 requires automated boresight verification to maintain accuracy in the field. Decomposed to FCC because the FCC hosts the alignment algorithm and controls weapon enable/disable. The 0.5 mrad acceptance threshold is derived from the ballistic accuracy budget; the 1.0 mrad inhibit threshold provides a 2× safety margin before engagement accuracy is materially degraded. | Test | subsystem, fire-control-system, sil-2, session-624, idempotency:sub-fcc-boresight-624 |
| SUB-REQ-049 | The Sensor Stabilisation Platform SHALL provide a two-axis gyrostabilised mount for the EOSA sensor head, maintaining residual line-of-sight error below 0.1 mrad RMS while the host vehicle traverses terrain at speeds up to 30 km/h. Rationale: SYS-REQ-001 requires first-round hit probability of 0.7 from a moving vehicle using stabilised fire control; achieving this probability budget on a moving vehicle requires EOSA stabilisation error to be below 0.1 mrad RMS so that it contributes less than 30% of the total ballistic error budget. Decomposed to EOSA because the sensor head and its stabilisation platform are co-located and co-designed. | Test | subsystem, electro-optical-sensor-assembly, sil-2, session-624, idempotency:sub-eosa-gyrostab-624 |
| SUB-REQ-050 | The Fire Control System SHALL be packaged as a sealed Line-Replaceable Unit (LRU) meeting MIL-STD-810H Method 507.6 humidity and Method 514.8 vibration profiles for vehicle-mounted equipment. Rationale: Lint finding (HIGH): UHT classifies FCS (55F7725D) without Physical Object trait but SUB-REQ-046 imposes physical constraints. Defining FCS as a sealed vehicle-mounted LRU formalises its physical embodiment and test standards, ensuring the physical design is governed by the same requirements hierarchy as functional requirements. | Inspection | session-625, qc, fire-control-system, lint-fix-high, idempotency:sub-fcs-physical-lru-session-625 |
| SUB-REQ-051 | The Hardware Firing Interlock Relay SHALL use gold-alloy bifurcated contacts rated at minimum 10A continuous at 28VDC and SHALL maintain contact resistance below 50mΩ after 50,000 actuation cycles and 1000 hours salt-spray exposure per MIL-STD-202 Method 101. Rationale: UHT Physical Medium trait classification (D6F51019) identifies material interface requirements not currently specified. The HFI relay is SIL-3 rated; contact degradation from corrosion or wear is a common-cause failure mode that can defeat the hardware interlock. Gold-alloy bifurcated contacts provide redundant current paths and corrosion resistance in the armoured vehicle environment (humidity, salt atmosphere, vibration). Contact resistance limit derives from required voltage margin at the firing solenoid threshold. | Test | session-625, qc, safety-interlock-system, lint-fix-medium, sil-3, idempotency:sub-hfi-relay-contacts-session-625 |
| SUB-REQ-052 | The Fire Control Computer SHALL implement a hardware watchdog timer with a 100ms timeout that independently de-energises the weapon control interface firing output and asserts a fault flag to the Operator Control Unit HMI if the fire control application fails to service the watchdog, ensuring fire control software failure does not result in loss of firing inhibit. Rationale: UHT System-Essential trait classification ({{hex:51B73219}}) identifies missing redundancy/failover specification. The FCC is the master controller for the fire solution; a software lock-up or crash without a hardware watchdog could leave the WCI firing output in an indeterminate state. The 100ms timeout is derived from the maximum credible software recovery time (FCC RTOS context switch < 10ms) and the minimum safe interval between valid fire commands, and satisfies the 500ms safe-state budget in SYS-REQ-009. HMI fault flag notification within 500ms enables the operator to identify the fault and take manual action. This is a defence-in-depth measure supplementing the independent SIS hardware interlock per SYS-REQ-008. Complies with IEC 61508 (Functional Safety of E/E/PE Safety-Related Systems) SIL-2 hardware architecture constraints. | Test | session-625, qc, fire-control-system, lint-fix-medium, sil-2, idempotency:sub-fcc-watchdog-session-625, red-team-session-640, reqs-eng-session-641 |
| SUB-REQ-053 | The Weapon Control Interface SHALL implement a fail-safe output stage such that loss of power, loss of communication from the FCC, or any detected output driver fault causes the firing solenoid control line to de-energise within 10ms, independent of FCC software state. Rationale: UHT System-Essential trait classification (50F57A19) identifies missing fail-safe behaviour specification. WCI is the final hardware stage before the firing solenoid; a stuck-energised output due to driver failure or communications loss would bypass both FCC-level and SIS-level safety functions. The 10ms de-energise time derives from the minimum firing cycle of the mounted weapon system, ensuring no unintended discharge can occur. Implemented as a normally-open relay in series with the firing solenoid, held closed only while WCI receives valid heartbeat from FCC. | Test | session-625, qc, fire-control-system, lint-fix-medium, sil-2, idempotency:sub-wci-failsafe-session-625 |
| SUB-REQ-054 | The Power Distribution Unit SHALL implement Solid-State Power Controller (SSPC) per MIL-STD-704F with individual trip threshold programmability per channel, such that a fault on any single load circuit is isolated within 1ms without affecting power delivery to remaining channels. Rationale: UHT System-Essential trait classification (D6C51018) for PDU identifies missing fault-isolation specification. Without individual SSPC isolation, a short-circuit fault on any load (e.g., TDA motor driver) would collapse 28VDC bus voltage and cause all subsystems including FCC and SIS to reset simultaneously — a single-point failure mode incompatible with the SIL-3 allocation. Per-channel SSPC isolation constrains fault propagation and maintains the required independence between safety-critical and non-safety loads. | Test | session-625, qc, power-distribution-unit, lint-fix-medium, idempotency:sub-pdu-sspc-isolation-session-625 |
| SUB-REQ-055 | The Fire Control System SHALL be housed in a sealed aluminium enclosure with a volume not exceeding 8 litres and a mass not exceeding 4.5 kg, with a NATO-standard 4-point equipment rack mounting interface and a 42-pin MIL-DTL-38999 Series III connector for all electrical connections. Rationale: The high-severity lint finding flags that 'fire control system' lacks the Physical Object trait despite imposing physical constraints in SUB-REQ-046 and SUB-REQ-050. This requirement closes the gap by explicitly defining the physical embodiment: the volume and mass budget are derived from the turret's electronics bay envelope (verified in the architecture study), and the MIL-DTL-38999 connector is mandated by MIL-STD-1553B vehicle integration for environmental sealing and EMC compliance. | Inspection | subsystem, fire-control-system, session-626, idempotency:sub-fcs-physical-embodiment-626 |
| SUB-REQ-056 | The CAN Bus and Serial Protocol Gateway SHALL monitor the operator control link heartbeat and assert the LINK-LOSS signal to the Safety Interlock System within 200ms of detecting a heartbeat gap exceeding 100ms, allowing the SIS 300ms to complete safe-state transition within the 500ms system budget of SYS-REQ-009. Rationale: SYS-REQ-009 mandates safe-state transition within 500ms of control link loss. Lint finding 69 identifies 'operator control link' as a SYS concept with no SUB coverage. The 200ms detection threshold is derived by allocating the 500ms budget: 200ms detection + 300ms SIS safe-state transition = 500ms total. The 100ms heartbeat gap threshold provides one missed heartbeat period before declaring loss at a 10Hz heartbeat rate. | Test | subsystem, communications-interface-unit, session-626, idempotency:sub-ciu-link-monitoring-626 |
| SUB-REQ-057 | While in Degraded Operation mode, the Operator Display Unit SHALL annunciate the degraded subsystem (thermal imager, drive controller, fire control computer) within 500ms of mode entry, displaying a distinct amber status icon and a text message identifying the failed subsystem in the top status bar. Rationale: SYS-REQ-011 specifies the system maintains degraded operation capability; the operator must be informed which subsystem has failed to apply correct tactics. The 500ms annunciation latency aligns with the system-level mode transition timing. Lint finding 71 identifies 'degraded operation' as a SYS concept without SUB coverage; this requirement addresses OCU's role in degraded mode management. | Test | subsystem, operator-control-unit, session-626, idempotency:sub-ocu-degraded-annunciation-626 |
| SUB-REQ-058 | The Turret Drive Controller SHALL execute a dual-axis (azimuth and elevation) stabilisation control loop at not less than 400 Hz, rejecting vehicle vibration inputs up to 30 km/h cross-country and maintaining weapon line-of-sight error below 0.1 mrad RMS, using inertial measurement unit feedback to decouple weapon pointing from vehicle dynamics. Rationale: SYS-REQ-001 requires 0.7 hit probability using stabilised fire control against a target from a vehicle moving at 15 km/h; the TDC stabilisation loop is the actuating control element. The 400 Hz update rate is derived from vehicle vibration bandwidth (primary modes up to 50 Hz for tracked vehicle per MIL-STD-810H Method 514), requiring a minimum 8x bandwidth margin. Lint finding 66 identifies 'stabilised fire control' as a SYS concept with no SUB coverage; this requirement closes that gap at the TDC. | Test | subsystem, turret-drive-assembly, session-626, idempotency:sub-tdc-stabilisation-loop-626 |
| SUB-REQ-059 | The Ballistic Computation Module SHALL validate the integrity of all fire solution inputs (LRF range, target angular velocity, atmospheric corrections) using a CRC-32 checksum appended by the supplying component, rejecting any input message with a checksum mismatch and flagging a data integrity fault to the operator HMI. Rationale: BCM is classified as Digital/Virtual and produces weapon engagement solutions — invalid or corrupted input data could cause incorrect fire solutions resulting in collateral damage. CRC-32 per CCITT provides sufficient integrity protection for inter-process communication on a single LRU; it is computationally lightweight relative to cryptographic MAC, appropriate for the 20ms computation latency constraint (SUB-REQ-015). Integrity fault flag to HMI closes the operator-in-the-loop safety argument. | Test | subsystem, fire-control-system, sil-2, session-627, idempotency:sub-bcm-data-integrity-627 |
| SUB-REQ-060 | The Turret Drive Assembly SHALL withstand the operating temperature range of -40°C to +55°C and storage temperature range of -51°C to +71°C per MIL-STD-810H (Environmental Engineering Considerations and Laboratory Tests) Method 501.7 and Method 502.7, with all rotating and sliding contact surfaces sealed to IP67 (IEC 60529) to prevent ingress of dust and water from wash-down or rain. Rationale: TDA is classified as Physical Medium (trait bit 7 in hex DEF51018), meaning it is subject to environmental wear and material degradation. The azimuth ring gear, elevation trunnion bearings, and drive motor housings are exposed to battlefield environments including mud, rain, and extreme temperature cycling. Without IP67 sealing and qualified temperature range, bearing lubricant breakdown or water ingress will cause premature failure of the drive mechanism — a single-point failure for the weapon aiming function. MIL-STD-810H temperature range is the standard MIL qualification range for ground vehicle mounted systems. | Test | subsystem, turret-drive-assembly, environmental, session-628, idempotency:sub-tda-env-protection-628 |
| SUB-REQ-061 | The Safety Interlock System SHALL operate across the ambient temperature range -40°C to +70°C and SHALL maintain its SIL 3 safety function without degradation across this range, with the Dual-Channel Safety Controller enclosure rated to IP65 per IEC 60529 against dust and low-pressure water jets from vehicle wash-down. Rationale: The SIS dual-channel controller and hardware firing interlock relay are mounted inside the turret where temperature extremes reach -40°C in Arctic conditions and +70°C in direct solar load on closed-hatch vehicles. H-001 and H-003 (unintended weapon discharge, safety bypass) require SIL 3 continuity across all operating conditions per IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems). IP65 protection is required because vehicle wash-down with high-pressure jets is standard maintenance; water ingress into the safety controller could cause relay weld or contact failure in the firing interlock circuit. | Test | subsystem, safety-interlock-system, environmental, safety, sil-3, session-628, idempotency:sub-sis-env-protection-628 |
| SUB-REQ-062 | The Hardware Firing Interlock Relay SHALL be a hermetically sealed relay rated to operate across the temperature range -55°C to +125°C with a rated coil-to-contact isolation voltage of not less than 500VDC and contact resistance not exceeding 100mΩ across the full temperature range, meeting MIL-PRF-39016 (Relays and Contactors, Established Reliability) qualification. Rationale: The hardware firing interlock relay (hex D6F51019, Physical Medium trait) is the final hardware barrier preventing inadvertent weapon discharge. H-001 (unintended weapon discharge, SIL 3) requires this component to remain fail-safe across all environmental conditions. Hermetic sealing prevents moisture ingress that could cause contact weld in high-humidity environments; MIL-PRF-39016 qualification ensures established-reliability screening with quantified failure rate data for SIL 3 PFD calculation. Contact resistance limit of 100mΩ is derived from the interlock circuit current budget: at 28VDC and 50mΩ load resistance, 100mΩ contact resistance limits voltage drop to <1.4V, maintaining reliable de-energisation of the firing solenoid. | Test | subsystem, safety-interlock-system, hardware-firing-interlock-relay, environmental, safety, sil-3, session-628, idempotency:sub-hwilk-env-relay-spec-628 |
| SUB-REQ-063 | The Fire Control System SHALL provide stabilisation compensation to the ballistic solution such that first-round hit probability is not less than 0.7 against a 2m x 2m target at 200m when the host vehicle is moving at 15 km/h, by applying IMU-derived angular rate corrections to the fire control solution at not less than 100Hz. Rationale: SYS-REQ-001 specifies P_h ≥ 0.7 from a moving platform. This is achieved only if the FCS compensates for vehicle motion via IMU feedback; the 100Hz update rate is derived from the slew rate limit of 40°/s elevation — a 10ms correction interval limits uncorrected muzzle deflection to <0.003° per cycle. | Test | subsystem, fire-control-system, sil-2, session-630, idempotency:sub-fcs-stabilisation-compensation-630 |
| SUB-REQ-064 | The Turret Drive Assembly SHALL provide continuous 360° azimuth traverse and -20° to +60° elevation coverage, with slew rates not less than 60°/s in azimuth and 40°/s in elevation under maximum weapon recoil load and full ice accumulation as defined in MIL-STD-810H Method 521.4. Rationale: SYS-REQ-003 mandates the full traverse and slew envelope. The TDA's drive motors, gearboxes, and slip ring assembly are the sole mechanical means of achieving this. Ice accumulation is specified because Arctic operation is a ConOps requirement; without it the drive would not be verified against the worst-case resistive load. | Test | subsystem, turret-drive-assembly, sil-2, session-630, idempotency:sub-tda-traverse-slew-630 |
| SUB-REQ-065 | While in Degraded Operation mode with the thermal imager inactive, the Electro-Optical Sensor Assembly SHALL maintain a minimum day-camera video output at 15 fps at 1920x1080 resolution with automatic exposure adjustment, and the Fire Control System SHALL switch to manual tracking mode using day-camera contrast tracking within 5 seconds of thermal imager fault detection. Rationale: SYS-REQ-011 mandates engagement capability to 200m using day camera in degraded mode. The 5-second switchover is derived from maximum allowable gap in situational awareness during a threat encounter; longer gaps would break fire discipline. Manual tracking is the fallback because auto-track depends on thermal contrast. | Test | subsystem, electro-optical-sensor-assembly, fire-control-system, sil-2, degraded-mode, session-630, idempotency:sub-eosa-fcs-degraded-day-camera-630 |
| SUB-REQ-066 | The Communications Interface Unit SHALL transmit sensor video, target positional data, and system health status to the Battle Management System via a MIL-STD-6016 (Tactical Digital Information Link) compatible radio interface, with position report messages at not less than 1Hz and encoded video stream at not less than 15fps. Rationale: SYS-REQ-013 mandates BMS connectivity via MIL-STD-6016; the CIU is the sole radio interface subsystem. The 1Hz position rate is the minimum for tactical display update; lower rates cause track lag. The 15fps video rate is the SYS requirement passthrough — below this the operator cannot assess target engagement status. | Test | subsystem, communications-interface-unit, session-630, idempotency:sub-ciu-milstd6016-bms-link-630 |
| SUB-REQ-067 | The Fire Control System SHALL execute an automated boresight verification sequence upon entry into Operational mode from Maintenance mode, comparing day-camera and thermal imager optical axes against a common reference reticle, and SHALL report BORESIGHT-VERIFIED status within 5 minutes of sequence initiation. Rationale: SYS-REQ-015 mandates return to operational status within 5 minutes of maintenance completion via automated boresight. The FCS is the only subsystem with visibility of both sensor streams and the computational capability to run the comparison algorithm. Five-minute limit accounts for sensor warm-up plus algorithm execution time. | Test | subsystem, fire-control-system, sil-2, maintenance, session-630, idempotency:sub-fcs-boresight-verification-630 |
| SUB-REQ-068 | The Safety Interlock System's Dual-Channel Safety Controller SHALL be packaged as a dedicated sealed LRU conforming to STANAG 4370 AECTP 400 environmental specification, with the two processing channels on separate PCBs in a common electrically-shielded housing, and SHALL meet the dimensional and mass envelope defined in the Vehicle Integration Document. Rationale: Lint analysis identified the channel safety controller lacked Physical Object classification because no physical embodiment requirement existed. A SIL 3 controller must be a discrete, identifiable LRU with its own qualification trail; integration into a shared housing without a dedicated requirement creates an acceptance testing gap per IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems). | Inspection | subsystem, safety-interlock-system, sil-3, lint-fix-high, session-630, idempotency:sub-sis-dcsc-physical-lru-630 |
| SUB-REQ-069 | The Target Tracking Processor SHALL output target angular position (azimuth and elevation) and angular rate (azimuth and elevation rate) to the Fire Control Computer at a minimum rate of 50 Hz, with an angular measurement resolution of not less than 0.05 mrad, formatted as a 64-byte binary packet over the internal PCIe data bus. Rationale: Finding 11: TTP classified as Outputs Effect but no output specification existed. The 50 Hz output rate matches the FCS closed-loop frequency (SUB-REQ-013). The 0.05 mrad resolution supports the 0.5 mrad RMS track error budget (SUB-REQ-014). Fire control algorithms require both position and rate to compute lead angle and filter target dynamics. | Test | subsystem, fire-control-system, target-tracking-processor, session-632, idempotency:sub-ttp-output-spec-632 |
| SUB-REQ-070 | The Ballistic Computation Module SHALL output a fire solution comprising azimuth lead angle, elevation correction, and fuze delay to the Fire Control Computer within 20ms of receiving updated inputs, with ballistic solution accuracy sufficient to achieve not less than 0.7 first-round hit probability against a 2m x 2m target at 1500m in a 0-20 km/h crosswind. Rationale: BCM is classified Outputs Effect but its output format and accuracy were not specified. The 20ms latency aligns with SUB-REQ-015. The 0.7 P1H accuracy links directly to SYS-REQ-001. Output must be quantified to enable integration testing between BCM and FCC — without a pass/fail criterion on the output, verification is not possible. | Test | subsystem, fire-control-system, ballistic-computation-module, session-632, idempotency:sub-bcm-output-spec-632 |
| SUB-REQ-071 | The Tactical Data Link Processor SHALL implement MIL-STD-6016 (STANAG 5516) message authentication using platform-keyed cryptographic validation, rejecting and logging any received messages that fail authentication, to prevent injection of false target data or fire commands via the tactical data link. Rationale: Tactical data link is classified Digital/Virtual — a cybersecurity attack injecting false target data or fire commands via the data link could cause engagement of unintended targets. MIL-STD-6016 defines authentication mechanisms; their use is mandatory in NATO tactical networks under STANAG 5048. Failure to authenticate received messages creates an unacceptable fire-control integrity risk. | Test | subsystem, communications-interface-unit, tactical-data-link, cybersecurity, session-632, idempotency:sub-tdl-cybersecurity-632 |
| SUB-REQ-072 | The Tactical Data Link Processor SHALL operate from the vehicle 28V DC bus (18V–32V operating range) with peak power consumption not exceeding 45W during active Link 16 transmission and quiescent consumption not exceeding 8W in receive-only mode. Rationale: Tactical Data Link Processor classification (hex 50F57258) includes the Powered trait. Without a defined operating voltage range and consumption budget, the PDU cannot allocate circuit protection, and thermal management cannot be scoped. 45W peak is derived from JTIDS/MIDS Class 2H terminal power specifications at maximum duty cycle. | Test | subsystem, communications-interface-unit, tactical-data-link, session-633, idempotency:sub-tdlp-power-633 |
| SUB-REQ-073 | When the Fire Control Computer detects an internal processing fault, the Fire Control System SHALL inhibit weapon firing, annunciate a fault code to the operator, and transition to safe state within 100ms of fault detection. Rationale: Fire control computer classified System-Essential (hex 51B73219); a single processing fault without failsafe response creates a hazardous state where commands may be generated without operator intent. 100ms response derived from the 8Hz servo update rate ensuring no more than one unchecked servo command is issued. Addresses SIL-2 safe-state requirement for Fire Control System. | Test | subsystem, fire-control-system, sil-2, session-633, idempotency:sub-fcc-fault-failsafe-633 |
| SUB-REQ-074 | The Weapon Control Interface SHALL implement a hardware-enforced dual-confirmation logic where both the operator fire command and a valid safety controller channel-agree signal must be present simultaneously for the firing relay to be energised, with either input independently sufficient to de-energise within 5ms. Rationale: Weapon control interface classified System-Essential (hex 50F57A19) and SIL-2; dual-confirmation prevents spurious fire commands from a single-channel fault. The 5ms de-energisation response ensures the firing relay opens within one fire control computation cycle, preventing an unintended round from being chambered after a command withdrawal. | Test | subsystem, fire-control-system, sil-2, session-633, idempotency:sub-wci-dual-confirm-633 |
| SUB-REQ-075 | When the Target Tracking Processor loses target track for more than 500ms, the Fire Control System SHALL automatically deselect the engagement target, inhibit the firing circuit, and require operator re-designation before a new firing solution can be computed. Rationale: TTP is System-Essential (hex D1F77219); continued weapon pointing at a lost or stale track risks engaging a non-threat target. 500ms threshold balances obscuration events (smoke, foliage) against positive control requirements per SIL-2 engagement safety. Re-designation enforces continuous operator positive control. | Test | subsystem, fire-control-system, sil-2, session-633, idempotency:sub-ttp-tracklose-failover-633 |
| SUB-REQ-076 | The Ballistic Computation Module SHALL accept firing table and meteorological data updates only from authenticated, cryptographically signed sources, rejecting any unsigned or invalid-signature data and logging the rejection event. Rationale: BCM is classified Digital/Virtual (hex 41F73B19) and Normative; unsigned ballistic data injection is an attack vector that could corrupt firing solutions without operator awareness, leading to inaccurate or dangerous fire. Cryptographic authentication prevents data tampering in transit on the vehicle data bus. | Test | subsystem, fire-control-system, sil-2, session-633, idempotency:sub-bcm-data-auth-633 |
| SUB-REQ-077 | The Power Distribution Unit SHALL implement independent fused circuit branches for safety-critical loads (firing interlock relay, safety controller, servo drives) such that a single branch overcurrent fault does not interrupt power to any other safety-critical load. Rationale: PDU is System-Essential (hex D6C51018); a shared power fault that disables multiple safety-critical loads simultaneously creates a dormant failure mode where the system may be non-operational at a critical moment. Independent branch protection ensures single-fault tolerance per IEC 61508 SIL-3 hardware fault tolerance requirements for the Safety Interlock System. | Test | subsystem, power-distribution-unit, sil-3, session-633, idempotency:sub-pdu-branch-isolation-633 |
| SUB-REQ-078 | When the primary (optical) imaging channel fails, the Electro-Optical Sensor Assembly SHALL continue providing thermal imaging data to the Fire Control Computer with no more than 2 seconds transition latency, and the operator SHALL be alerted via the Operator Control Unit. Rationale: Optical sensor assembly is System-Essential (hex D6C51018). SYS-REQ-011 allows degraded operation with thermal channel only; without an explicit transition requirement the system may silently lose the primary channel leaving the operator unaware. 2s transition matches the minimum operator response time specified in HFE-DMH ergonomics baseline. | Demonstration | subsystem, electro-optical-sensor-assembly, sil-2, session-633, idempotency:sub-eosa-channel-failover-633 |
| SUB-REQ-079 | The Fire Control System SHALL enforce that the operator explicitly acknowledges positive target identification (IFF status FRIEND, NEUTRAL, or UNKNOWN-HOSTILE with operator confirmation) on the Operator Control Unit before the fire-ready state can be achieved, and SHALL log the acknowledgement timestamp and operator identifier. Rationale: RWS is {{trait:Ethically Significant}} (hex {{hex:D6FC7059}}). International humanitarian law (IHL), including HPCR Manual on International Law Applicable to Air and Missile Warfare, and Rules of Engagement (ROE) require positive target identification before lethal force. The consequence of failure (fratricide or civilian harm) is catastrophic (S3 per IEC 61508 risk graph). However, this is a SOFTWARE-IMPLEMENTED operator confirmation step — not a hardware safety function — and serves as a defence-in-depth control supplementing the primary SIL-3 hardware interlock chain (SIS → DCSC → HFIR). Per IEC 61508-3 (Software Requirements), a software safety function with S3 consequence but implemented as a defensive layer below the primary hardware barrier is allocated SIL-2, not SIL-3. SIL-3 for software requires formal verification methods (including theorem proving or model checking) not mandated here. The primary SIL-3 barrier remains the hardware firing interlock (SUB-REQ-001 through SUB-REQ-004). This requirement is allocated SIL-2, requiring structured software development, MC/DC testing, and independent software verification per IEC 61508-3 Section 7.4. | Inspection | subsystem, fire-control-system, ethical, roe, session-633, idempotency:sub-fcs-positive-id-roe-633, red-team-session-640, reqs-eng-session-641, sil-2 |
| SUB-REQ-080 | The Tactical Data Link Processor SHALL comply with MIL-STD-6016E (Tactical Data Link Standard for JTIDS/MIDS) for all Link 16 message formatting, timing, and encryption, and SHALL support a minimum of Link 16 J-series message types J2.2 (Track Data), J3.0 (Reference Point), and J7.0 (Net Entry) to enable BMS integration. Rationale: SYS-REQ-013 mandates MIL-STD-6016 compatible tactical data link. Without explicit compliance at the subsystem level, the TDLP could be implemented with a proprietary superset that fails system integration tests. J2.2, J3.0, and J7.0 are the minimum message set required for RWS track reporting and BMS integration per STANAG 5516 interoperability baseline. | Test | subsystem, communications-interface-unit, tactical-data-link, regulated, session-633, idempotency:sub-tdlp-milstd6016-633 |
| SUB-REQ-081 | The Fire Control System SHALL perform automated boresight verification between the gun barrel axis and the primary day-channel optical line-of-sight at system power-on and after barrel replacement, reporting a pass or fail result within 60 seconds, with pass criterion of bore offset not exceeding 0.3 mrad. Rationale: SYS-REQ-015 requires barrel change support in under 15 minutes; without automated boresight verification after barrel replacement the system cannot confirm weapon-to-sensor alignment before resuming operations. 0.3 mrad bore offset threshold is derived from SYS-REQ-001 first-round hit probability requirement at 1000m engagement range. | Test | subsystem, fire-control-system, session-633, idempotency:sub-fcs-auto-boresight-633 |
| SUB-REQ-082 | While in Degraded Operation mode with one sensor modality failed, the Remote Weapon Station SHALL maintain a minimum engagement range of 800m against stationary targets with the remaining sensor channel and SHALL alert the operator within 3 seconds of sensor failure detection. Rationale: STK-REQ-012 specifies degraded operation but provides no measurable performance floor. 800m minimum engagement range is derived from the degraded-channel acquisition probability curve: at 800m the single-channel P(first-round-hit) remains above 0.5 against a stationary 2.3m target. The 3-second alert bound is the maximum delay for operators to adjust tactics per human factors engineering baseline. | Demonstration | subsystem, electro-optical-sensor-assembly, fire-control-system, session-633, idempotency:sub-rws-degraded-mode-metrics-633 |
| SUB-REQ-083 | When the Fire Control Computer hardware watchdog asserts a system reset, the Fire Control Computer SHALL complete a controlled restart, re-run Built-In Test, and return to the last operational mode within 10 seconds, maintaining the weapon in the SAFE state throughout the recovery sequence. Rationale: The FCC is System-Essential (SIL-2 context) and its restart path is not currently specified. 10-second recovery bound is derived from SYS-REQ-002 (8s engagement time) — an FCC reset during engagement must complete before the next engagement window, plus 2s margin. SAFE state maintenance throughout ensures a watchdog reset cannot be exploited to bypass the firing interlock. | Test | subsystem, fire-control-system, sil-2, fcc-fdir, session-634, idempotency:sub-fcc-restart-recovery-634 |
| SUB-REQ-084 | The Operator Control Unit SHALL present all primary fire control functions (arm, fire, mode select, target track enable) within a single operating screen requiring no more than two control actuations to reach any safety-critical function from the rest state. Rationale: RWS is Human-Interactive (operator-in-the-loop for all engagements). Cognitive workload under stress is a human factors risk; two-action maximum derives from NATO STANAG 4586 (UAV Control Systems) HMI workload principles applied to weapon system interfaces and matches SYS-REQ-007 two-action arming sequence. | Demonstration | subsystem, operator-control-unit, hmi, human-factors, session-634, idempotency:sub-ocu-hmi-workload-634 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-REQ-001 | The interface between the Remote Weapon Station and the Host Vehicle Platform SHALL use a turret ring mechanical mounting compliant with STANAG 4472 Edition 2 (RWS/RCWS mounting interface), capable of transmitting 25kN peak recoil load and 15kN sustained lateral load without structural yielding, with a ring diameter of 775mm ±1mm, 24 M12 class 10.9 mounting bolts on a 750mm PCD, and a positional misalignment tolerance of ±0.5mm to maintain weapon boresight alignment under all operating loads. Rationale: External interface: Host Vehicle Platform provides the structural mounting. STANAG 4472 Edition 2 is the NATO standard governing RWS mounting interfaces, adopted to ensure cross-vehicle interoperability across NATO partner platforms. 25kN peak recoil from .50 cal HMG ballistic data (NATO EPVAT round); 15kN lateral from NATO STANAG 4569 Level 1 blast and ballistic test conditions. 775mm ring diameter and 750mm PCD are standard for vehicle class IIIb. ±0.5mm misalignment tolerance preserves <0.1 mil bore axis deviation under load. | Test | interface, external, session-617, idempotency:ifc-ext-vehicle-mechanical-617, red-team-session-640, reqs-eng-session-641 |
| IFC-REQ-002 | The interface between the Remote Weapon Station and the Host Vehicle Platform SHALL receive 28VDC power (18-32V operating range per MIL-STD-1275E) at a maximum continuous draw of 2kW and peak draw of 3.5kW during slew-and-fire. Rationale: External interface: Vehicle power bus is the sole power source. Power budget: 500W surveillance + 1.5kW servo slew + 500W weapon feed = 2.5kW typical peak. 3.5kW includes transient margin for simultaneous operations. | Test | interface, external, session-617, idempotency:ifc-ext-vehicle-power-617 |
| IFC-REQ-003 | The interface between the Remote Weapon Station and the Host Vehicle Platform SHALL exchange vehicle status and power management data via CAN-bus (ISO 11898, 500 kbps) with message latency not exceeding 10ms. Rationale: External interface: CAN-bus is the vehicle data backbone. FCS needs vehicle speed and heading for ballistic computation; vehicle needs RWS power demand for load management. 10ms latency ensures fire control solution freshness. | Test | interface, external, session-617, idempotency:ifc-ext-vehicle-canbus-617 |
| IFC-REQ-004 | The interface between the Remote Weapon Station and the GPS/Navigation System SHALL receive position and heading data via RS-422 at 10 Hz in NMEA-0183 or military GPS format, with position accuracy of less than 10m CEP. Rationale: External interface: GPS provides position for ballistic computation (Coriolis correction at long range) and blue force tracking. RS-422 chosen for noise immunity in the vehicle EMI environment. 10 Hz matches FCS update rate. | Test | interface, external, session-617, idempotency:ifc-ext-gps-617 |
| IFC-REQ-005 | The interface between the Remote Weapon Station and the Ammunition Supply System SHALL accept STANAG 4090 compatible linked ammunition via an articulated belt feed chute from a vehicle-mounted magazine of 200 to 400 round capacity. Rationale: External interface: Ammunition supply is mechanical. STANAG 4090 ensures interoperability with NATO ammunition types. Flexible chute accommodates turret rotation. Magazine size trades capacity against vehicle interior space. | Inspection | interface, external, session-617, idempotency:ifc-ext-ammo-617 |
| IFC-REQ-006 | The interface between the Remote Weapon Station and the Tactical Data Link (BMS) SHALL transmit compressed sensor video at not less than 15 fps, position reports at 1 Hz, and target data with end-to-end latency not exceeding 200ms for engagement-critical messages. Rationale: External interface: Tactical data link enables remote engagement authorization by the Tactical Commander. 200ms latency budget is allocated from the 8s detect-to-fire timeline. H.264 compression at 15 fps balances bandwidth and image quality. | Test | interface, external, session-617, idempotency:ifc-ext-bms-617 |
| IFC-REQ-007 | The interface between the Electro-Optical Sensor Assembly and the Fire Control System SHALL provide uncompressed digital video (640x512, 30 fps minimum) on both EO and TI channels simultaneously, with frame timestamp synchronisation to less than 1ms. Rationale: Internal interface: FCS needs raw uncompressed video for auto-tracker centroid computation. Timestamp sync ensures tracker fusion of EO and TI data does not introduce lag. 30 fps supports 10 Hz tracking loop with 3x oversampling. | Test | interface, internal, session-617, idempotency:ifc-int-eosa-fcs-video-617 |
| IFC-REQ-008 | The interface between the Fire Control System and the Turret Drive Assembly SHALL provide servo demand signals (azimuth and elevation rate commands) at 100 Hz via a dedicated serial link, with the TDA returning encoder position feedback at the same rate. Rationale: Internal interface: the servo control loop requires 100 Hz update rate for 0.2 mrad pointing accuracy under vehicle vibration. Dedicated link prevents bus contention with lower-priority traffic. | Test | interface, internal, session-617, idempotency:ifc-int-fcs-tda-servo-617 |
| IFC-REQ-009 | The interface between the Safety Interlock System and the Weapon and Ammunition Handling Assembly SHALL be a hardwired normally-open relay contact (IEC 61810 class C rated at minimum 24 VDC / 5A resistive load) that physically interrupts the weapon firing circuit within 10ms of the SIS entering any state other than FIRE ENABLED, with a minimum isolation voltage of 500 VDC between the SIS control circuit and the WAH firing circuit, and with contact bounce not exceeding 2ms. Rationale: Internal interface: SIL 3 firing chain safety per IEC 61508 (Functional Safety of E/E/PE Safety-Related Systems), hazard H-001 (unintended weapon discharge) and H-007 (loss of fire control). The IEC 61810 class C rating ensures the relay is qualified for safety applications. Normally-open contact means loss of SIS control power results in firing circuit open (fail-safe). 10ms maximum switching time is within the safe reaction time derived from weapon charge-to-fire latency (>150ms), giving 15:1 margin. 500 VDC isolation prevents transient coupling between the SIS low-voltage logic domain and the WAH firing circuit. 2ms contact bounce limit prevents false re-enabling of the firing circuit during relay release. | Test | interface, internal, safety, sil-3, session-617, idempotency:ifc-int-sis-wah-firing-617, red-team-session-640, reqs-eng-session-641 |
| IFC-REQ-010 | The interface between the Safety Interlock System and the Turret Drive Assembly SHALL provide a hardwired brake-release signal; when de-asserted, spring-applied mechanical brakes on both axes SHALL engage within 200ms. Rationale: Internal interface: SIL 2 turret motion safety per H-002. Spring-applied brakes default to engaged on power loss. SIS controls brake release via dedicated hardwired signal independent of FCS software. | Test | interface, internal, safety, sil-2, session-617, idempotency:ifc-int-sis-tda-brake-617 |
| IFC-REQ-011 | The interface between the Arming Key Switch Assembly and the Dual-Channel Safety Controller SHALL be a direct hardwired 28VDC discrete signal per key position (SAFE: 0V, ARMED: 28V, MAINTENANCE-LOCKOUT: floating/open), with no intervening software processing, maximum signal propagation delay of 1ms, and wire continuity monitored by the controller at 100Hz. Rationale: Hardware-direct wiring (no software intermediary) is mandated by SYS-REQ-007 and SYS-REQ-008 to ensure the key switch state cannot be spoofed by a software fault. 28VDC matches the vehicle bus standard. 100Hz monitoring ensures the controller detects wire open/short within 10ms, supporting the 100ms fault-safe-state budget. | Test | interface, safety-interlock-system, sil-3, safety, session-618, idempotency:ifc-aks-dsc-618 |
| IFC-REQ-012 | The interface between the E-stop and Link Watchdog Module and the Dual-Channel Safety Controller SHALL be a dual hardwired discrete signal (one per channel of the 1oo2D controller), with signal assertion latency not greater than 5ms from event detection, providing galvanic isolation of at least 500V between the module and each controller channel. Rationale: Dual signals align with the 1oo2D architecture so each controller channel receives an independent safe-state trigger. Galvanic isolation prevents a fault in the E-stop circuit from propagating to the controller power rail. 5ms latency fits within the 200ms watchdog trigger budget with 40x margin. | Test | interface, safety-interlock-system, sil-2, safety, session-618, idempotency:ifc-ewd-dsc-618 |
| IFC-REQ-013 | The interface between the Dual-Channel Safety Controller and the Hardware Firing Interlock Relay SHALL be a 24VDC energise signal with both controller channels required to assert simultaneously (AND-gate logic in relay driver), signal de-assertion propagating to relay de-energisation within 10ms, and the relay feedback state returned to both controller channels for output verification. Rationale: Requiring both channels to simultaneously assert fire-enable prevents a single stuck-high channel from activating the relay — maintaining SIL 3 fault tolerance. Feedback verification allows the controller to detect relay weld failure (stuck energised), a critical failure mode that would bypass the primary firing barrier. | Test | interface, safety-interlock-system, sil-3, safety, session-618, idempotency:ifc-dsc-hfi-618 |
| IFC-REQ-014 | The interface between the Dual-Channel Safety Controller and the Safe State Output Driver SHALL carry separate drive commands for each actuator output (azimuth brake, elevation brake, firing inhibit relay coil) on a dedicated hardwired bus, with command-to-actuator response time not greater than 20ms and actuator current feedback monitored by the controller to detect open-circuit and short-circuit faults. Rationale: Individual actuator command lines allow the controller to de-energise specific outputs during partial safe states (e.g., brakes only, not firing inhibit) rather than all outputs simultaneously. Current feedback enables the controller to detect actuator failures that would otherwise only be discovered during emergency operation, supporting the IEC 61508 SIL 3 diagnostic coverage requirement. | Test | interface, safety-interlock-system, sil-2, safety, session-618, idempotency:ifc-dsc-ssod-618 |
| IFC-REQ-015 | The interface between the Target Tracking Processor and the Fire Control Computer SHALL transfer target centroid coordinates in mrad relative to boresight, track quality metric (0.0–1.0), and target angular velocity vector at 50Hz via a PCIe x4 internal bus with end-to-end latency not exceeding 1ms. Rationale: The FCC pointing loop (SUB-REQ-013) requires track data at 50Hz. PCIe x4 is available on the FCS backplane and provides sufficient bandwidth (>1Gbps) for this data at sub-millisecond latency. Competing alternatives (Ethernet, USB) add latency and jitter incompatible with the 20ms control budget. | Test | interface, fire-control-system, session-620, idempotency:ifc-ttp-fcc-track-620 |
| IFC-REQ-016 | The interface between the Fire Control Computer and the Ballistic Computation Module SHALL provide LRF range measurement (±5m accuracy), target angular velocity from TTP, host platform linear velocity (from IMU at 100Hz), and ammunition ballistic coefficient table; and the BCM SHALL return azimuth and elevation corrections in mrad within 20ms of receiving updated range. Rationale: BCM runs as a software thread on FCC (ARC-REQ-008), so this is an intra-processor data interface. Defining it as an explicit interface requirement ensures the ballistic thread scheduler priority and data freshness are verified in integration test. 20ms latency requirement is from SYS-REQ-002 engagement time budget. | Test | interface, fire-control-system, session-620, idempotency:ifc-fcc-bcm-ballistic-620 |
| IFC-REQ-017 | The interface between the Fire Control Computer and the Weapon Control Interface SHALL use RS-422 full-duplex at 115200 baud transmitting FIRE, CEASE, and SAFE commands with a 16-bit CRC, and the WCI SHALL return round counter and fault status at 10Hz. End-to-end command latency SHALL not exceed 1ms. Rationale: RS-422 provides differential signalling with inherent noise immunity for the weapon bay environment (high electrical noise from solenoid switching). 115200 baud is sufficient for command throughput at 10Hz status telemetry. The WCI is galvanically isolated from FCC via RS-422 opto-couplers to protect FCC logic from solenoid transients (per ARC-REQ-008). CRC ensures command integrity against noise-induced bit errors. | Test | interface, fire-control-system, session-620, idempotency:ifc-fcc-wci-rs422-620 |
| IFC-REQ-018 | The interface between the Barrel Change Mechanism and the Safety Interlock System SHALL transmit the BARREL-NOT-LOCKED signal as a hardwired 24VDC discrete output, active-low (0V = barrel locked, 24V = barrel not locked), with signal update latency not exceeding 50ms from barrel lock state change. Rationale: A hardwired discrete signal (not digital bus) is required because the barrel retention condition feeds the SIS hardware interlock chain. SIS-level interlocks must be hardware-isolated from software bus failures. Active-low convention ensures a wiring fault (open circuit) de-asserts the fire permit signal, enforcing fail-safe behaviour. | Test | interface, weapon-and-ammunition-handling, sil-2, session-621, idempotency:ifc-bcm-sis-barrel-621 |
| IFC-REQ-019 | The interface between the Ammunition Magazine Assembly and the Fire Control Computer SHALL transmit round-count data at 1Hz via MIL-STD-1553B Bus B, with a resolution of 1 round and a count accuracy of ±5 rounds across the full 400-round capacity. Rationale: 1Hz update rate is sufficient for operator awareness and mission planning — round count does not change faster than weapon cyclic rate divided by 60. MIL-STD-1553B Bus B is chosen for consistency with the vehicle-level data bus architecture and inherent error detection. ±5 round accuracy is sufficient for the operator to assess remaining endurance; sub-round accuracy is not achievable with belt-count sensors and not required for any safety function. | Test | interface, weapon-and-ammunition-handling, session-621, idempotency:ifc-ama-fcc-roundcount-621 |
| IFC-REQ-020 | The interface between the Belt Feed and Transfer Mechanism and the Weapon Cradle and Mount SHALL maintain belt tension within 15N to 25N at the weapon feed port across the full RWS traverse envelope of 360° azimuth and -20° to +55° elevation, preventing belt sag (below 15N) and feed jams (above 25N). Rationale: Belt tension outside 15-25N is the primary cause of feed jams in belt-fed weapon systems on remote turrets. Below 15N the belt sags and misaligns at the feed port during rapid traverse; above 25N belt links bind and the feed pawls skip. The full traverse envelope test is required because tension varies with belt path geometry as the turret moves. | Test | interface, weapon-and-ammunition-handling, session-621, idempotency:ifc-bftm-wcm-tension-621 |
| IFC-REQ-021 | The interface between the Fire Control Computer and the Turret Drive Controller SHALL transmit weapon aiming demand packets at 50Hz via PCIe, with azimuth and elevation demand angles encoded as 32-bit IEEE 754 floats in radians, and end-to-end latency from FCC demand generation to TDC actuator command not exceeding 5ms. Rationale: 50Hz aiming demand rate is derived from the FCS control loop rate (SYS-REQ-001 hit probability). 5ms end-to-end latency ensures the TDA follows the fire control solution within the lag budget — at 30°/s maximum slew rate, 5ms latency introduces 0.15° positional error which is within the 0.1 mrad allocation. | Test | interface, turret-drive-assembly, sil-2, session-621, idempotency:ifc-fcc-tdc-aiming-621 |
| IFC-REQ-022 | The Azimuth Slip Ring Assembly SHALL transfer 24VDC power at up to 20A continuous, MIL-STD-1553B data at 1Mbps, Ethernet 100BASE-TX, and analog sensor signals (±10V, 10kHz bandwidth) without signal degradation exceeding 3dB or contact resistance increasing beyond 10mΩ over the rated life of 50,000 rotations. Rationale: Continuous 360° azimuth requires electrical continuity through the rotation joint. The multi-circuit specification (power + 1553B + Ethernet + analog) covers all signals that must cross the azimuth rotation boundary. Contact resistance and signal attenuation limits are derived from downstream subsystem power and data margin requirements. | Test | interface, turret-drive-assembly, session-621, idempotency:ifc-sra-circuits-621 |
| IFC-REQ-023 | The interface between the Electro-Optical Sensor Assembly and the Fire Control Computer SHALL transmit simultaneous thermal and daylight video streams at 50Hz via dual GigE Vision (IEEE 802.3) connections, with end-to-end video latency not exceeding 30ms from scene capture to FCC frame buffer. Rationale: Simultaneous dual-channel video is required for FCS automatic target acquisition which correlates day and thermal imagery. 30ms maximum video latency is derived from the 5-second detect-to-fire timeline — latency above 30ms would cause the target tracking loop to lose lock on a target moving at 50 km/h. | Test | interface, electro-optical-sensor-assembly, sil-2, session-621, idempotency:ifc-eosa-fcc-video-621 |
| IFC-REQ-024 | The interface between the OCU Control Processing Unit and the Fire Control Computer SHALL carry dual-channel video (thermal and daylight) from FCC to OCU CPU via 100BASE-TX Ethernet at a maximum bandwidth of 200 Mbps, and SHALL carry operator command packets (slew, arm, fire mode) from OCU CPU to FCC at 100Hz with latency not exceeding 5ms. Rationale: 200 Mbps Ethernet bandwidth is sufficient for 2x uncompressed thermal+day video at 50Hz. Command packet latency of 5ms ensures OCU CPU does not add perceptible latency to the weapon control path — combined with GHC 10ms and FCC processing, total operator-to-turret command latency stays within 25ms. | Test | interface, operator-control-unit, session-621, idempotency:ifc-ocu-fcc-621 |
| IFC-REQ-025 | The interface between the Tactical Data Link Processor and the external Battle Management System SHALL use MIL-STD-6016 (STANAG 5516) over a compatible radio transceiver at the vehicle external antenna, providing a minimum data throughput of 115.2 kbps for tactical message exchange. Rationale: IFC-REQ-006 specifies BMS data link requirements at system level; this interface requirement defines the physical/protocol boundary at the TDP output where it connects to the external radio. | Test | interface, communications-interface-unit, session-622, idempotency:ifc-tdp-bms-radio-622 |
| IFC-REQ-026 | The interface between the Video Compression and Network Interface Module and the Tactical Data Link Processor SHALL exchange compressed video metadata and target data over an internal GigabitEthernet link with a frame scheduling latency not exceeding 10ms. Rationale: The TDP must annotate video frames with target track data before BMS transmission; the 10ms scheduling latency ensures the combined end-to-end 200ms budget in IFC-REQ-006 is not exceeded by internal CIU processing. | Test | interface, communications-interface-unit, session-622, idempotency:ifc-vcni-tdp-internal-622 |
| IFC-REQ-027 | The interface between the CAN Bus and Serial Protocol Gateway and the Fire Control Computer SHALL provide GPS position and heading data over the internal RWS Ethernet (UDP, port 5000) at 10 Hz with a timestamp accuracy of better than 5ms relative to GPS time-of-validity. Rationale: IFC-REQ-004 requires GPS data at 10Hz for ballistic computation; the 5ms timestamp accuracy is necessary for lead angle calculations at slew rates up to 60 deg/s per SYS-REQ-003. | Test | interface, communications-interface-unit, session-622, idempotency:ifc-cpg-fcs-gps-622 |
| IFC-REQ-028 | The interface between the Power Distribution and Protection Module and the Safety Interlock System SHALL provide an always-on, non-load-shedded 28VDC supply rail at a minimum of 2A, with supply voltage maintained within 18-32VDC even during load shedding events on other subsystem branches. Rationale: The SIS must remain powered during all fault and load-shedding scenarios to maintain the safe state — de-energising the SIS power rail during any fault condition would prevent the safety function from executing. This is a functional safety requirement driven by IEC 61508 SIL 3 integrity of the SIS. | Test | interface, power-distribution-unit, sil-3, session-622, idempotency:ifc-pdpm-sis-always-on-622 |
| IFC-REQ-029 | The interface between the Power Monitor and Control Unit and the Fire Control Computer SHALL transmit power telemetry messages over RS-422 (38400 baud) using a defined message format containing per-branch voltage, current, and fault status at a minimum of 10 Hz. Rationale: FCS needs real-time power status to implement load priority algorithms during peak demand (e.g., disable OCU display rather than FCS during slew-and-fire). Message format and baud rate must be agreed at system integration. | Test | interface, power-distribution-unit, session-622, idempotency:ifc-pmcu-fcs-telemetry-622 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-REQ-001 | ARC: Safety Interlock System separated from Fire Control System — The weapon safety function (SIS) is implemented as a separate hardware subsystem from the fire control computation (FCS). Alternative: single FCS with software safety layer. Rejected because IEC 61508 SIL 3 requires diversity between the safety function and the control function. A software fault in the FCS must not be capable of defeating the firing interlock. Rationale: H-001, H-003, H-007 require SIL 3 for the firing chain. IEC 61508 Part 2 Table A.2 mandates diverse redundancy at SIL 3. Software-only safety in the same processor as the FCS cannot achieve the required PFD of <1E-7 per hour. | Analysis | architecture, safety, session-617, idempotency:arc-sis-separation-617 |
| ARC-REQ-002 | ARC: Turret Drive Assembly as mechanical subsystem — The TDA groups servo motors, encoders, brakes, gyro/IMU, and structural turret ring into one subsystem. Alternative: separate servo electronics from mechanical structure. Rejected because the servo control loop requires tight coupling between motor, encoder, and gyro — distributing these across subsystems would introduce interface latency in the 100 Hz control loop. Rationale: 100 Hz servo loop with 0.2 mrad accuracy requires deterministic timing between encoder read, gyro compensation, and motor command. Physical co-location minimises cable length and EMI susceptibility in the power drive circuits. | Analysis | architecture, session-617, idempotency:arc-tda-grouping-617 |
| ARC-REQ-003 | ARC: Electro-Optical Sensor Assembly as integrated sensor head — The EOSA integrates day camera, thermal imager, and laser rangefinder into a single gimballed head. Alternative: distributed sensors (e.g., fixed TI with separate gimballed day camera). Rejected because boresight coherence between sensors is critical for target handoff from detection (TI) to identification (day camera) to ranging (LRF). An integrated head maintains mechanical boresight alignment. Rationale: Target engagement requires seamless sensor handoff. Distributed sensors require active boresight maintenance algorithms and add latency. Integrated heads are standard in operational RWS (e.g., M151 PROTECTOR, CROWS) for this reason. | Analysis | architecture, session-617, idempotency:arc-eosa-integration-617 |
| ARC-REQ-004 | ARC: Separate Communications Interface Unit — External data link functions are isolated in a dedicated CIU rather than integrated into the FCS. Alternative: FCS handles all external comms. Rejected because tactical data link protocols (MIL-STD-6016) and video compression are processing-intensive and not safety-critical — mixing them into the SIL-rated FCS processor would require the entire FCS to be certified to the higher ASIL, increasing cost and schedule. Rationale: Separation of safety-critical (FCS, SIL 2 for computation) from non-safety-critical (CIU, SIL 0) processing reduces certification scope. The CIU can use commercial-grade video encoders without contaminating the FCS safety case. | Analysis | architecture, session-617, idempotency:arc-ciu-separation-617 |
| ARC-REQ-005 | ARC: Spring-applied electrically-released brakes — TDA uses spring-applied, electrically-released mechanical brakes on both axes. Alternative: electrically-applied brakes. Rejected because fail-safe behaviour requires brakes to engage on power loss. In the IED Strike scenario (H-006), cable damage de-energises the turret — spring-applied brakes automatically arrest turret motion without requiring power or software intervention. Rationale: H-002 (uncommanded turret motion, SIL 2) and H-006 (loss of control link) both require fail-safe braking. Spring-applied brakes are the only architecture that guarantees braking on total power loss. This is standard in safety-critical servo systems. | Analysis | architecture, safety, session-617, idempotency:arc-brake-failsafe-617 |
| ARC-REQ-006 | ARC: Safety Interlock System 1oo2D redundant channel architecture — The Dual-Channel Safety Controller implements 1oo2D (one-out-of-two with diagnostics) voting with independent processing channels and cross-channel monitoring. Alternative: single SIL-3 channel with increased reliability. Rejected because IEC 61508 SIL 3 for a category B subsystem (complex electronics) requires hardware fault tolerance HFT=1, meaning the safety function must tolerate one channel failure. The 1oo2D architecture achieves PFD ≤ 1×10⁻⁴/hr and enables online diagnostic coverage >90% required for SIL 3 compliance. Rationale: Architecture decisions are verified by design review inspection: confirm the 1oo2D redundant channel architecture is implemented as specified in the design documentation, safety case, and FMEDA. The architectural independence property is confirmed by physical inspection of channel separation, power supplies, and signal paths. | Inspection | architecture, safety, safety-interlock-system, sil-3, session-618, idempotency:arc-sis-1oo2d-618 |
| ARC-REQ-007 | ARC: Fire Control System decomposed into FCC, TTP, BCM, and WCI — The FCS is split into four components: Fire Control Computer (master controller), Target Tracking Processor (dedicated video processing FPGA/GPU), Ballistic Computation Module (software module on FCC), and Weapon Control Interface (hardware firing translator). Alternative: monolithic FCS with all functions in one SBC. Rejected because TTP requires hardware video acceleration incompatible with the FCC real-time OS; and WCI requires galvanic isolation from FCC to prevent firing solenoid transients corrupting the fire control computation. BCM is a software module on FCC (not a separate processor) because ballistic computation latency requirement of 20ms is achievable on FCC and adding a separate board adds interface latency and failure modes. Rationale: IFC-REQ-007 (EOSA video at 50Hz) requires >500Mbps processing bandwidth not achievable on the FCC general-purpose processor. Weapon solenoid drive emits 100V switching transients requiring 1500V optical isolation to protect FCC logic. BCM latency of 20ms (from SYS-REQ-002 engagement time budget) is achievable as a software thread on FCC without added inter-processor latency. | Analysis | architecture, fire-control-system, session-620, idempotency:arc-fcs-decomposition-620 |
| ARC-REQ-009 | ARC: Weapon and Ammunition Handling Assembly — Passive structural decomposition with dedicated recoil management. The WAHA separates weapon mounting (Weapon Cradle and Mount), recoil attenuation (Recoil Buffer and Damping System), ammunition storage (Ammunition Magazine Assembly), belt routing (Belt Feed and Transfer Mechanism), and barrel maintenance (Barrel Change Mechanism) into discrete components. This decomposition was chosen over a monolithic weapon mount because independent recoil management allows the turret structure to be designed to a 5kN transmitted force ceiling rather than 25kN peak, reducing turret mass by approximately 40%. Barrel change and magazine reload are isolated from load-bearing components to enable single-maintainer servicing without removing the cradle. Rationale: Structural decomposition decision with direct mass and maintainability implications. Separating recoil buffer from cradle reduces turret structural sizing and enables independent replacement of high-wear components. | Inspection | architecture, weapon-and-ammunition-handling, session-621, idempotency:arc-waha-621 |
| ARC-REQ-010 | ARC: Turret Drive Assembly — Dual-axis motion control with slip ring power transfer and dual-redundant encoders. Separate azimuth and elevation motor-gearbox units were chosen over a single gimbal drive because the differing travel ranges (360° azimuth vs 75° elevation) and torque requirements (500Nm vs 200Nm) require different gear ratios. The worm gearbox on the elevation axis provides self-locking at power loss, eliminating the need for a separate elevation hold brake. Dual-redundant encoders allow TDC and SIS to independently verify turret position — a single-encoder failure does not compromise the SIS-level drive inhibit function. Rationale: Dual-axis separation, worm drive elevation, and dual-redundant encoder selection are the three key architectural decisions for the TDA. All three have direct implications for safety (SIL 2 drive inhibit), performance (slew rate), and maintainability. | Inspection | architecture, turret-drive-assembly, sil-2, session-621, idempotency:arc-tda-621 |
| ARC-REQ-011 | ARC: Electro-Optical Sensor Assembly — Common stabilised platform with separate day and thermal channels. The EOSA mounts the thermal imager, daylight camera, and laser rangefinder on a single 2-axis stabilised gimbal (Sensor Head Stabilisation Platform). A separate stabilised gimbal per channel was rejected because it would increase sensor head mass and require separate bore-sight maintenance procedures. Co-mounting on a single gimbal allows simultaneous day/thermal imagery with guaranteed co-boresight alignment maintained at the platform level rather than requiring software registration. The SHSP stabilises to 0.1 mrad RMS — this is tighter than the turret drive pointing accuracy (0.1 mrad) to decouple sensor stabilisation from pointing control. Rationale: Co-mounted channels on single stabilised platform reduces mass and ensures mechanical bore-sight coherence across day, thermal, and LRF channels — critical for fire control accuracy and degraded-mode operation (SYS-REQ-011). | Inspection | architecture, electro-optical-sensor-assembly, sil-2, session-621, idempotency:arc-eosa-621 |
| ARC-REQ-012 | ARC: Operator Control Unit — Three-component architecture separating display (ODU), input (GHC), and processing (OCU CPU). This separation allows OCU CPU and GHC to operate from separate power supplies, ensuring gunner input is not lost if the display fails. The OCU CPU composites video overlay graphics locally, reducing bandwidth on the FCC-OCU link to video-only traffic. A monolithic touchscreen-only design was rejected because tactile trigger operation is essential under high-vibration or cold-weather conditions where touch accuracy degrades. Rationale: Separating display from processing enables display failure tolerance and reduces FCC-OCU interface bandwidth. Separate physical trigger (GHC) from touchscreen ensures reliable weapon control in adverse conditions. | Inspection | architecture, operator-control-unit, session-621, idempotency:arc-ocu-621 |
| ARC-REQ-013 | ARC: Power Distribution Unit decomposed into passive filter, SSPC distribution, DC-DC converters, and supervisory monitor — The PDU separates the passive EMC/surge protection function (Primary Power Input Filter) from the active switching and protection (Power Distribution and Protection Module) to allow independent testing and replacement. The DC-DC Converter Array is a separate module because secondary rail failure (12V/5V/3.3V) must not cascade to 28V distribution. The Power Monitor and Control Unit is isolated to a dedicated processor so power fault logging continues even if a SSPC control loop fails. Alternative: integrated power conditioning module. Rejected because a single integrated module would require full replacement for any single-function failure, increasing maintenance burden per SYS-REQ-015 LRU replacement. Rationale: Modular PDU architecture enables LRU-level replacement per SYS-REQ-015 (15-min barrel/LRU change) and ensures fault isolation between power functions. | Inspection | architecture, power-distribution-unit, session-622, idempotency:arc-pdu-decomposition-622 |
flowchart TB n0["component<br>Dual-Channel Safety Controller"] n1["component<br>Hardware Firing Interlock Relay"] n2["component<br>Arming Key Switch Assembly"] n3["component<br>E-stop and Link Watchdog Module"] n4["component<br>Safe State Output Driver"] n2 -->|arm-key-status 28VDC| n0 n3 -->|E-STOP + watchdog signal| n0 n0 -->|fire-enable dual-channel| n1 n0 -->|brake+inhibit command| n4
Safety Interlock System — Internal
flowchart TB n0["component<br>Fire Control Computer"] n1["component<br>Target Tracking Processor"] n2["component<br>Ballistic Computation Module"] n3["component<br>Weapon Control Interface"] n1 -->|track data 50Hz| n0 n0 -->|range + IMU + target data| n2 n2 -->|ballistic corrections| n0 n0 -->|FIRE/CEASE/SAFE RS-422| n3
Fire Control System — Internal
flowchart TB n0["component<br>Weapon Cradle and Mount"] n1["component<br>Recoil Buffer and Damping System"] n2["component<br>Ammunition Magazine Assembly"] n3["component<br>Belt Feed and Transfer Mechanism"] n4["component<br>Barrel Change Mechanism"] n2 -->|belted ammo feed| n3 n3 -->|round chambering| n0 n0 -->|recoil impulse transfer| n1 n4 -->|barrel attach/detach| n0
Weapon and Ammunition Handling — Internal
flowchart TB n0["component<br>Turret Drive Controller"] n1["component<br>Azimuth Drive Motor and Gearbox"] n2["component<br>Elevation Drive Motor and Gearbox"] n3["component<br>Turret Position Encoder Assembly"] n4["component<br>Azimuth Slip Ring Assembly"] n4 -->|28VDC power + CAN-bus signals| n0 n3 -->|az/el position feedback| n0 n0 -->|azimuth drive command| n1 n0 -->|elevation drive command| n2
Turret Drive Assembly — Internal
flowchart TB n0["component<br>Thermal Imaging Camera"] n1["component<br>Daylight Television Camera"] n2["component<br>Laser Rangefinder"] n3["component<br>Sensor Head Stabilisation Platform"] n0 -->|LWIR video stream| n3 n1 -->|1080p video stream| n3 n2 -->|range data 200m-5km| n3
Electro-Optical Sensor Assembly — Internal
flowchart TB n0["component<br>OCU Control Processing Unit"] n1["component<br>Operator Display Unit"] n2["component<br>Gunner Hand Controller"] n2 -->|joystick + trigger inputs| n0 n0 -->|video + status display| n1
Operator Control Unit — Internal
flowchart TB n0["component<br>Tactical Data Link Processor"] n1["component<br>Video Compression and Network Interface Module"] n2["component<br>CAN Bus and Serial Protocol Gateway"] n3["component<br>EMC Filter and Surge Protection Assembly"] n1 -->|compressed video stream| n0 n2 -->|system status + target data| n0 n3 -->|conditioned CAN-bus signals| n2
Communications Interface Unit — Internal
flowchart TB n0["component<br>Primary Power Input Filter and Surge Arrester"] n1["component<br>DC-DC Converter Array"] n2["component<br>Power Distribution and Protection Module"] n3["component<br>Power Monitor and Control Unit"] n0 -->|filtered 28VDC| n1 n0 -->|28VDC to subsystems| n2 n3 -->|load shed commands| n2
Power Distribution Unit — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Ammunition cookoff from thermal exposure | 00000201 | Hazard in RWS: ammunition in the feed system or magazine detonates due to excessive heat from sustained firing, vehicle fire, IED strike, or solar heating in desert environments. Consequence: catastrophic destruction of turret assembly, potential hull breach, crew casualties. Desert operations can reach ammunition storage temperatures above 70°C ambient. Sustained firing heats the receiver and barrel, conducting heat to adjacent ammunition. |
| Ammunition Feed and Management | 51F73219 | System function of Remote Weapon Station (RWS): manages the mechanical belt feed from magazine to weapon chamber, tracks round count, detects ammunition type via sensor, detects feed jams. Inputs: ammunition belt, type sensor signal, round counter. Outputs: rounds fed to weapon, round count, jam alert, ammunition type to FCS for ballistic table selection. Performance: sustained feed rate for 700 rpm cyclic, 200-400 round magazine capacity, STANAG 4090 compatible link. |
| Ammunition Magazine Assembly | CE851059 | Belt-fed ammunition storage container mounted to RWS turret, capacity 400 rounds in soft-pack or rigid 7.62mm/.50 cal configuration. Includes feed-exit port with anti-snag guide, quick-release retention clips for rapid reload by single maintainer. Capacity sensor provides round-count feedback to Fire Control Computer. Must survive 6g vibration per MIL-STD-810 Method 514.8. |
| Ammunition Supply System | 44853859 | External ammunition supply: belted or linked ammunition fed from a magazine (typically 200-400 rounds for 12.7mm) mounted on the turret or in the hull with a feed chute. Interface includes mechanical feed path, ammunition type sensor (to verify correct calibre loaded), and round counter. Ammunition subject to STANAG 4090 (small arms ammunition) and AOP-39 (ammunition storage). |
| Arming Key Switch Assembly | C6CD5819 | Physical key-operated rotary switch providing the first of two required arming actions for weapon discharge in the Remote Weapon Station Safety Interlock System. Generates hardwired 28VDC signal directly to the Dual-Channel Safety Controller — not software-mediated. Has three positions: SAFE, ARMED, MAINTENANCE-LOCKOUT. Mounted in crew compartment, accessible only to authorised crew. Provides physical proof-of-intent separate from operator control unit software commands. |
| Azimuth Drive Motor and Gearbox | D7D51008 | Brushless DC motor with integrated planetary gearbox driving 360° continuous azimuth rotation of the RWS turret. Provides 0°/s to 60°/s slew rate with 0.1 mrad pointing accuracy. Output torque 500 Nm to overcome turret inertia and wind loading at maximum slew rate. Motor encoder provides 20-bit position feedback to the Turret Drive Controller at 1kHz. |
| Azimuth Slip Ring Assembly | D6851018 | Multi-circuit slip ring with 40 electrical circuits providing continuous 360° power and signal transfer through the azimuth rotation joint. Carries 24VDC power (20A), MIL-STD-1553B data bus, Ethernet 100BASE-TX, and analog sensor signals between the fixed vehicle hull and the rotating turret platform. Rated for 50,000 rotations minimum life. |
| Ballistic Computation Module | 41F73B19 | Software module executing on the Fire Control Computer that calculates the weapon aiming offset to achieve first-round hit. Inputs: LRF slant range (±5m accuracy), target angular velocity from TTP, vehicle inertial velocity and rotation from IMU, ammunition type and lot data, crosswind from sensors. Implements Mach-regime external ballistics model. Outputs azimuth and elevation corrections in mrad to the pointing error loop. Must re-compute within 20ms of updated range measurement. |
| Barrel Change Mechanism | 4CB53819 | Tool-free barrel locking and release system on the weapon cradle enabling single-maintainer hot barrel swap in less than 30 seconds. Includes quick-release barrel latch, heat-resistant barrel handle interface, and barrel retention sensor confirming positive lock before firing is permitted. Barrel retention state output to Safety Interlock System as a fire-permit precondition. |
| Belt Feed and Transfer Mechanism | CE851018 | Dual-path ammunition belt routing assembly channelling rounds from the magazine through the RWS turret structure to the weapon feed port. Includes anti-twist belt guides, spring-tensioned feed pawls maintaining 15-25N belt tension, and a metallic link catcher for disintegrating belt ammunition. Routes a 400-round belt through 300mm radius bends without jamming across the full turret traverse range of 360° azimuth and 40° elevation travel. |
| Boresight/Calibration mode of RWS | 50B53A00 | Sensor alignment and calibration mode of a Remote Weapon Station. Weapon safed, turret under controlled low-speed slew to calibrate EO/TI sensor boresight against weapon bore axis using a calibration target at known range. LRF range calibration against known reference. Gyroscope and IMU drift correction. Performed after maintenance, barrel change, or when BIT detects sensor misalignment exceeding 0.5 mrad. Requires stable vehicle (parked, engine idle). Operator-supervised, automated alignment sequence with manual override. |
| Built-In Test and Health Monitoring | 55F57209 | System function of Remote Weapon Station (RWS): performs power-on self-test and continuous monitoring of all subsystems — servo drive encoders, sensor health, safety interlock continuity, firing circuit integrity, ammunition counter, communication links. Outputs: fault codes, degraded-mode alerts, maintenance action recommendations, BIT pass/fail for each subsystem. Performance: complete power-on BIT in 90s at -46°C, continuous monitoring at 1 Hz. |
| CAN Bus and Serial Protocol Gateway | 50E57008 | Protocol gateway in the RWS CIU bridging the host vehicle CAN bus (ISO 11898, 500kbps) to the internal RWS Ethernet network. Receives vehicle status (engine state, navigation data, power bus voltage) and power management commands via CAN and republishes as UDP datagrams on the internal network. Also provides RS-422 buffering for GPS NMEA-0183 input at 10Hz and distributes position data to FCS and CIU. Performs message filtering, rate limiting, and watchdog monitoring. SIL 0, non-safety-critical function. |
| channel safety controller | D6F51018 | Ruggedised PCB assembly housed in physically discrete enclosure. This is a physical electronic device — a circuit board with microprocessor, relay drivers, and discrete I/O connectors. Mounted in vehicle electronics bay as a Line-Replaceable Unit (LRU). Has physical mass, volume, connectors, and mechanical mounting. Implements IEC 61508 SIL 3 hardware fault tolerance. Physically separate redundant channel. Physical Object with electrical inputs and relay outputs. |
| Communications and Data Link Interface | 40E57219 | System function of Remote Weapon Station (RWS): manages external data interfaces — tactical data link (MIL-STD-6016 or BMS protocol) for target handoff, blue force tracking, and sensor imagery export; CAN-bus vehicle interface for vehicle status and GPS/navigation data; RS-422 for precision navigation input. Inputs: BMS messages, GPS NMEA, vehicle CAN. Outputs: compressed sensor video at 15 fps, position reports at 1 Hz, target data, engagement status. Performance: latency <200ms for engagement-critical messages. |
| Communications Interface Unit | D4E57019 | Subsystem of Remote Weapon Station (RWS): manages all external digital interfaces. Contains: CAN-bus controller (vehicle bus interface for power management, vehicle status, GPS/INS data), RS-422 interface for precision navigation, MIL-STD-6016 tactical data link modem interface (target handoff, blue force tracking, engagement status), video encoder for sensor imagery compression and export (H.264 at 15 fps), and Ethernet switch for internal subsystem network. Data latency <200ms for engagement-critical messages. |
| Daylight Television Camera | D6C55019 | High-resolution CCD/CMOS day channel camera co-boresighted with thermal imager on the RWS sensor head. 0.3 mrad minimum IFOV with 2x to 10x continuous optical zoom. Provides colour imagery at 50Hz frame rate via GigE Vision. Sensor stabilised on same 2-axis gimbal as thermal camera. Used as primary channel for target identification and engagement in daylight conditions. |
| DC-DC Converter Array | D6D51018 | Multi-output DC-DC converter module in the RWS PDU providing regulated supply rails: 28VDC (pass-through, 15A), 12VDC (5A for sensors and cameras), 5VDC (3A for digital logic), 3.3VDC (2A for FPGAs). Synchronous buck topology, >90% efficiency, MIL-STD-704F compliant. Input 18-32VDC. Output ripple <50mV p-p. Soft-start and overcurrent protection per rail. Operating temperature -40°C to +71°C, MIL-STD-810G vibration. |
| Degraded Operation mode of RWS | 00B47200 | Fallback operational mode when one or more subsystems have failed: single-sensor operation (thermal or day only), manual tracking (auto-tracker failed), backup power (vehicle main power lost), reduced stabilization (one gyro failed). Weapon may still be fireable with degraded accuracy. Entry: automatic transition when Built-In Test detects subsystem failure. Exit: fault cleared and full capability restored, or crew commands stow. Operator receives degradation warnings with specific capability loss indicated on display. |
| Degraded sensor operation scenario | 00144200 | Degraded operations scenario: During desert patrol at 1400hrs, thermal crossover renders thermal imager ineffective — targets blend with ambient background temperature. RWS BIT detects low thermal contrast and alerts operator. Operator switches to day camera as primary sensor. Auto-tracker performance degrades in day-only mode due to reduced contrast in dust haze. Operator falls back to manual tracking. Engagement accuracy reduced but weapon system remains functional. Operator reports degradation to commander who adjusts patrol timing to avoid crossover period. |
| Dismounted Infantry operating near RWS vehicle | 01040021 | Personnel operating on foot near the RWS-equipped vehicle: at risk from uncommanded turret motion and weapon discharge. Must trust the RWS safety systems when working within the turret sweep zone. Coordinate with VC for fire support from the RWS. Primary safety concern — they are in the hazard zone. |
| Dual-Channel Safety Controller | D6E53058 | Dual-redundant safety controller implemented as two physically separate processing boards in a common housing, each independently processing firing inhibit logic via IEC 61508 SIL 3 architecture. Physical LRU with dedicated power supply, discrete I/O for safety interlocks, and hardened relay outputs for firing circuit break. Installed in turret electronics bay adjacent to safety interlock relays. |
| E-stop and Link Watchdog Module | D6C55018 | Dedicated hardware module within the Safety Interlock System of a Remote Weapon Station that monitors two independent safe-state triggers: (1) physical Emergency Stop button (hardwired, normally-closed circuit) and (2) data link heartbeat timeout (asserts safe state if no valid operator heartbeat for >200ms). Both channels are hardwired to the Dual-Channel Safety Controller — no software processing path. Provides galvanically isolated digital status outputs to safety controller at 100Hz polling rate. Operating on 28VDC, -40°C to +70°C. |
| Electro-Optical Sensor Assembly | D7F55019 | Subsystem of Remote Weapon Station (RWS): integrated sensor head containing day CCD camera (0.3 mrad IFOV, dual-FOV 18°/3°), uncooled LWIR thermal imager (50mK NETD, 640x512, dual-FOV), and eye-safe laser rangefinder (200-3000m, ±5m accuracy). Gimballed on the weapon cradle for co-boresighted operation. IP67 sealed with anti-condensation heater. Outputs analog/digital video to FCS and OCU. Operating temperature -46°C to +71°C. Contains auto-focus, electronic zoom, video recording, and automatic target detection algorithms. |
| Elevation Drive Motor and Gearbox | D7D51018 | Brushless DC motor with worm gearbox driving -20° to +55° elevation of the RWS weapon assembly. Provides 0°/s to 30°/s elevation slew rate with 0.1 mrad pointing accuracy. Self-locking worm drive ensures weapon elevation holds position on power loss without brake engagement. Output torque 200 Nm. Encoder provides 20-bit position feedback to Turret Drive Controller. |
| EMC Filter and Surge Protection Assembly | C6851058 | Passive EMC and transient voltage suppression assembly at the signal and power ingress of the RWS CIU. Provides MIL-STD-461G CE101/CE102 conducted emissions suppression on the 28VDC supply to the CIU. Includes TVS diodes and LC filters on all external signal cables (RS-422, CAN bus, Ethernet) to suppress ESD up to 15kV (IEC 61000-4-2 Level 4). Housed in shielded metal enclosure, passive component no power consumption. Operating temperature -40°C to +85°C. |
| Emergency stop during engagement scenario | 40BD2A00 | Emergency scenario: During engagement, operator notices turret traversing past commanded bearing — uncommanded motion detected. Operator immediately presses E-STOP. System de-energises turret drives, applies mechanical brakes, safes weapon firing circuit within 200ms. Turret halts. Operator reports malfunction. Commander orders vehicle to withdraw. Maintenance crew investigates — finds azimuth encoder producing erroneous position feedback causing servo loop instability. LRU replacement of azimuth encoder assembly required. BIT re-run confirms fix before return to operational status. |
| Emergency Stop mode of RWS | 40B53A51 | Safety shutdown mode: weapon immediately safed, turret drive motors de-energised, mechanical brakes applied, all fire interlocks engaged. Entry: operator presses emergency stop, or safety system detects critical fault (e.g., uncommanded turret motion, fire in turret, ammunition cookoff detection). Exit: manual reset by crew after fault investigation. All sensor recording preserved for incident analysis. This is the system safe state for all weapon-related hazards. |
| Engagement mode of RWS | 55F53A11 | Active weapon engagement mode: weapon armed, fire safety interlocks cleared by operator (two-stage arm sequence), target tracked via electro-optical sensors or automatic tracker, ballistic solution computed and applied to weapon aim point. Operator has authority to fire. Entry: operator arms weapon from surveillance mode after positive target identification. Exit: operator safes weapon (returns to surveillance), ammunition exhausted, or system enters emergency stop. Maximum power draw, stabilization at highest performance, all sensors recording. |
| Failure to safe weapon | 00050211 | Hazard in RWS: weapon does not return to safe state when commanded by operator or safety system. Firing circuit remains energised, or mechanical safety does not engage. Consequence: subsequent uncommanded discharge possible, crew unable to safely approach weapon for maintenance or clearing. Particularly dangerous during emergency stop or after a malfunction. Failure of the safe-state transition mechanism. |
| Field maintenance barrel change scenario | 50853A10 | Maintenance scenario: After sustained engagement (500+ rounds), weapon barrel requires change per maintenance schedule. Vehicle withdraws to maintenance area. Crew initiates maintenance mode — clears weapon (verifies empty chamber), removes ammunition belt, powers down turret electronics, engages mechanical locks on azimuth and elevation. Armourer changes barrel assembly (15-minute task), inspects feed mechanism, checks ammunition storage temperature. Re-loads ammunition, releases mechanical locks, powers up system, runs BIT. BIT passes — system returned to stowed mode for movement. |
| Fire Control Computation | 51F77B19 | System function of Remote Weapon Station (RWS): computes ballistic fire control solution from target range (LRF), target motion (tracker), vehicle motion (IMU), environmental inputs (temperature, crosswind, air pressure), ammunition type, and weapon ballistic tables. Outputs: weapon lead angle, superelevation correction, fire/no-fire signal. Performance: solution update at 10 Hz, engagement accuracy contribution <0.3 mrad systematic error. |
| Fire Control Computer | 51B73219 | |
| fire control system | D7F73019 | The Fire Control System (FCS) is a sealed aluminium Line-Replaceable Unit (LRU) housing the Fire Control Computer (FCC), Target Tracking Processor (TTP), Ballistic Computation Module (BCM), and Weapon Control Interface (WCI). It is a physical box meeting MIL-STD-810H environmental requirements, mounted inside the turret structure, drawing 28VDC power. It processes sensor imagery, computes fire solutions, and commands the weapon via digital outputs. Volume ≤8L, mass ≤6kg. |
| Fire Control System | DBF73819 | Ruggedized LRU packaged subsystem integrating ballistic computation module, fire control computer, and target tracking processor. Physical chassis is a sealed enclosure meeting MIL-STD-810H vibration and humidity profiles. Contains CPU, DSP, power conditioning circuitry. Manages weapon engagement sequence, ballistic trajectory calculation, and target track. Installed in vehicle turret electronics bay. |
| Friendly fire due to target misidentification | 00000201 | Hazard in RWS: operator engages friendly forces or civilians due to sensor degradation (obscured optics, thermal crossover), incorrect IFF data, situational awareness loss in restricted FOV, or confusion in complex urban environment. Consequence: fratricide, civilian casualties. RWS narrow sensor FOV (typically 2-20 degrees) limits peripheral awareness compared to direct observation. Compounded by thermal imager limitations during crossover periods. |
| GPS/Navigation System | 54E57019 | Vehicle GPS receiver providing position data to the RWS fire control computer for ballistic computation (Coriolis correction, map datum), target location reporting, and sensor geo-referencing. Interface via RS-422 or CAN-bus providing NMEA-0183 or military GPS format (DAGR/PLGR). Position accuracy requirement: <10m CEP. |
| Gunner Hand Controller | D6CD5019 | Dual-hand 6-axis joystick assembly providing azimuth slew, elevation slew, zoom, fire, arm, and mode selection inputs to the Weapon Control Interface. Spring-return to center. Thumb-operated firing trigger with guard. Outputs to Fire Control Computer via USB HID at 100Hz. Ergonomically designed for one-hand operation when required. Meets MIL-STD-461G EMC requirements. |
| Hardware Firing Interlock Relay | D6F51019 | Normally-open, fail-safe electromechanical relay assembly in series with the weapon firing solenoid circuit within the Safety Interlock System. Provides hardware-enforced firing cut-out that is physically independent of fire control software. Energised only when both the Dual-Channel Safety Controller asserts fire-enable AND the Arming Key Switch is in ARMED position. Drives 24VDC firing solenoid. Response time <10ms to de-energise on safe state command. |
| Host Vehicle Platform | DE851019 | Armored fighting vehicle (IFV, APC, MRAP) on which the RWS is mounted. Provides 28VDC power supply, CAN-bus data interface for vehicle integration (speed, heading, GPS), mounting ring interface (NATO standard turret ring), and structural support for recoil loads up to 25kN. Vehicle hull provides ballistic protection for the operator and electronics. |
| IED strike control link loss scenario | 40840200 | Failure scenario: Vehicle strikes IED during movement. Blast damages cable harness between hull operator station and turret assembly. RWS detects control link loss while weapon is in surveillance mode (safed). Hardware safety automatically locks turret and confirms weapon safe state within 500ms. Operator display shows LINK LOST status. Vehicle crew assesses damage, determines RWS inoperable. Crew secures weapon manually via turret-mounted manual safety, continues mission with RWS degraded-out. Field maintenance required to replace cable harness. |
| Initialization/BIT mode of RWS | 51F53A00 | Power-up and built-in-test mode of a Remote Weapon Station. System energizes in safe state, runs comprehensive self-diagnostics on servo drives, sensor alignment, FCS computation, ammunition feed sensors, and safety interlock circuits. Reports fault status to operator console. Servo drives exercised to verify freedom of motion and encoder calibration. LRF self-test with internal reference. Duration 30-90 seconds depending on ambient temperature. Prevents transition to Surveillance until all safety-critical BIT checks pass. |
| laser rangefinder | D4C55019 | |
| Loss of operator control while weapon armed | 01041211 | Hazard in RWS: communication link between operator control unit and turret assembly fails while weapon is in armed state. Causes: cable damage from IED blast, connector vibration failure, electronics failure. Consequence: weapon remains armed with no operator input, turret may drift or hold last commanded position. If auto-tracker is engaged, system may continue tracking a target without operator oversight. Requires independent hardware safety to force weapon safe on link loss. |
| Maintenance mode of RWS | 40943A10 | Depot or field maintenance mode: weapon removed or barrel cleared, all ammunition removed, turret power isolated via lockout-tagout, mechanical locks engaged on azimuth and elevation drives. Allows crew or technician to perform preventive maintenance, replace Line Replaceable Units (LRUs), update software, run diagnostic tests. Entry: crew initiates maintenance sequence with weapon cleared and verified safe. Exit: maintenance complete, Built-In Test passes, crew authorises return to stowed mode. Safety interlocks prevent any turret motion or weapon function. |
| OCU Control Processing Unit | D1F57018 | Embedded computer handling operator interface logic for the RWS OCU. Receives sensor video from FCC, composites overlay graphics, drives the Operator Display Unit, and forwards operator hand controller inputs to FCC. Manages BITE display, system status, and operator alerts. Communicates with FCC via 100BASE-TX Ethernet. Executes OCU software on COTS SBC running Linux RTOS. |
| Operator Control Unit | D4ED5019 | Subsystem of Remote Weapon Station (RWS): hull-mounted operator station with ruggedised 15-inch day/night-readable LCD display, dual hand controllers (palm grip with thumb controls for mode, FOV, fire trigger, and slew), emergency stop button, weapon arm/safe panel with guarded switches. Presents sensor video with FCS overlay (reticle, range, lead angle, mode indicators), BIT status, fault alerts. MIL-STD-1472 human factors design. Connected to turret via armoured cable harness through hull penetration. |
| Operator Display Unit | D6CC5018 | Rugged 15-inch sunlight-readable LCD touchscreen display for RWS gunner station. Displays dual-channel (day/thermal) video from EOSA, overlaid with target markers, range data, system status, and BITE indicators. 1920x1080 resolution, 1500 nit brightness for daylight readability. Touch interface for menu navigation. Connected to Fire Control Computer via DVI-D video and USB for touch input. |
| Operator Interface and Display | 50FD7819 | System function of Remote Weapon Station (RWS): presents sensor imagery, system status, fire control data, and BIT results to the vehicle commander via a ruggedised display panel with hand controllers. Receives operator commands (mode select, weapon arm/safe, fire trigger, sensor select, FOV, E-STOP). Inputs: sensor video, FCS overlay data, BIT status. Outputs: operator commands to FCS, mode transitions to state machine. Interface: MIL-STD-1472 human factors, day/night readable display. |
| Power Conditioning and Distribution | 54F53018 | System function of Remote Weapon Station (RWS): receives 28VDC from host vehicle and conditions/distributes power to all RWS subsystems — servo drives, sensors, FCS electronics, OCU, safety circuits. Manages power sequencing, surge protection, voltage regulation, and emergency power for safety-critical functions (firing interlock, brakes). Inputs: 28VDC vehicle bus. Outputs: regulated power rails (28V drive, 12V logic, 5V sensor). Performance: 2kW peak during full traverse with weapon firing, 500W nominal surveillance. |
| Power Distribution and Protection Module | D6B53018 | Load switching and protection module in the RWS PDU. Contains solid-state power controllers (SSPC) for each subsystem load: FCS (8A), TDA (12A), EOSA (4A), SIS (2A), CIU (3A), OCU (2A). Each SSPC provides electronic circuit breaking with adjustable trip threshold, inrush current limiting, and load shedding capability. Controlled via RS-422 serial from the Power Monitor and Control Unit. 28VDC, -40°C to +71°C. |
| Power Distribution Unit | D6C51018 | |
| Power Monitor and Control Unit | D5F77018 | Supervisory control and monitoring processor in the RWS PDU. Monitors voltage, current, and temperature on each power rail and subsystem supply branch using precision ADCs (12-bit, 1kHz sampling). Reports power consumption telemetry to FCS and OCU via RS-422. Commands SSPC load shedding during overload or fault conditions. Generates BIT fault codes for maintenance. Runs on embedded microcontroller with 100ms control loop. SIL 0, non-safety-critical. 28VDC, 2W. |
| Primary Power Input Filter and Surge Arrester | C6853058 | EMI/EMC input filter and transient voltage suppression (TVS) at the 28VDC power input of the RWS Power Distribution Unit. Provides MIL-STD-461G CE101/CE102 conducted emissions attenuation, STANAG 1008 compliant surge protection up to 100V/100µs transient per MIL-STD-1275E. Series inductor-capacitor LC filter with TVS diode array. Passes up to 3.5kW peak load. Passive assembly, no control electronics. -40°C to +85°C. |
| Recoil Buffer and Damping System | CED51019 | Spring-hydraulic recoil attenuation assembly mounted between weapon receiver and cradle. Absorbs initial 25kN peak recoil impulse and dissipates energy over 80mm stroke to reduce transmitted force to turret structure. Must not exceed 5kN residual force at buffer end-of-stroke. Operates across -40°C to +70°C temperature range without seal failure or hydraulic cavitation. |
| Remote Weapon Station (RWS) | DEF53059 | A remotely operated, stabilized weapon platform mounted on armored fighting vehicles (AFVs), naval vessels, or fixed installations. The operator acquires targets and engages from a protected position inside the vehicle using electro-optical sensors (daylight camera, thermal imager, laser rangefinder) and a stabilized weapon mount supporting medium-calibre machine guns (7.62mm, 12.7mm), automatic grenade launchers, or anti-tank guided missiles. The RWS provides 360-degree azimuth traverse, elevation from -20 to +60 degrees, two-axis stabilization for fire-on-the-move capability, and ballistic computation. Operates in desert, arctic, tropical, and urban environments at temperatures from -46°C to +71°C. Safety-critical system requiring SIL 2 minimum for weapon firing chain. Subject to NATO STANAG 4569 for ballistic protection integration and MIL-STD-810 for environmental qualification. |
| RWS System Integrator (OEM) | 40853879 | Defence contractor responsible for design, manufacture, integration, and through-life support of the RWS. Integrates RWS onto multiple vehicle platforms. Responsible for safety case, environmental qualification, type certification, software assurance, and logistics support. Must comply with DEF STAN 00-56 safety management and IEC 61508 functional safety. |
| Safe State Output Driver | D0D51018 | Galvanically isolated relay driver module within the Safety Interlock System that conditions Dual-Channel Safety Controller digital outputs to drive high-current actuators: mechanical brake solenoids (24VDC, 2A each, two turret axes) and weapon firing inhibit relay coil. Fail-safe design: de-energised state (no drive signal) corresponds to brakes engaged and firing inhibited. Provides 1500V isolation between safety logic and actuator circuits. Response time <5ms from command to actuator state change. |
| Safety Interlock System | D2B53859 | Subsystem of Remote Weapon Station (RWS): hardware safety chain implementing SIL 3 firing interlock and SIL 2 turret motion safety. Contains: hardwired E-STOP circuit (mushroom button at OCU and external maintenance panel), maintenance mode interlock switches on access panels, weapon arm relay (two-action independent of FCS software), control link watchdog timer (200ms hardware timeout), firing circuit relay (fail-open, spring-return), turret brake release relay. All safety relays are fail-safe (de-energise to safe state). Independent of FCS software per IEC 61508 architectural constraint. |
| Sensor Head Stabilisation Platform | DFB51008 | 2-axis (azimuth and elevation) gyro-stabilised gimbal isolating the thermal imager and day camera from turret platform vibration. Provides stabilisation to 0.1 mrad RMS residual jitter at 5Hz-100Hz vibration input up to 5 mrad/s. Gyro feedback from fibre optic gyroscopes (FOG). Stabilisation electronics interface to Turret Drive Controller for turret-stabilisation decoupling. |
| Software fault causing uncommanded fire | 41213159 | Hazard in RWS: fire control software erroneously asserts fire command due to race condition, buffer overflow, state machine corruption, or incorrect sensor data interpretation. Distinct from electrical uncommanded discharge — this is a logic error in safety-critical software. Consequence: same as uncommanded discharge but with potentially systematic rather than random failure mode. Requires SIL 2+ software development per IEC 61508 Part 3. |
| Stowed/Travel mode of RWS | 40940A00 | Non-operational transport mode: weapon is safed, turret locked to travel position (typically forward), sensors powered down or in standby. Entry: crew secures weapon and initiates stow command. Active during road marches, rail transport, and air transport. Exit: crew commands transition to surveillance mode upon entering operational area. Power draw minimal, vehicle CAN-bus heartbeat maintained. |
| Surveillance mode of RWS | 55FD3201 | Operational observation mode: weapon safed but turret unlocked and traversable, all electro-optical sensors active (day camera, thermal imager, laser rangefinder on standby), stabilization engaged. Operator scans sectors using joystick or auto-scan patterns. Entry: crew transitions from stowed mode upon reaching operational area. Exit: operator identifies threat and transitions to engagement mode, or crew commands stow. Full power draw, continuous sensor video feed to operator display. |
| Tactical Commander (Platoon/Company) | 018D7AF9 | Commands the formation of which the RWS-equipped vehicle is a part. Authorises engagement in accordance with rules of engagement. Needs RWS sensor imagery shared via tactical data link for situational awareness. Relies on RWS engagement effectiveness data for tactical planning and battle damage assessment. |
| Tactical Data Link (Battle Management System) | 50F57B59 | Battlefield management system providing digital communications between vehicles and command posts. Receives target handoff data, blue force tracking, and rules of engagement updates. Exports RWS sensor imagery, engagement data, and weapon status to the tactical network. Typically MIL-STD-6016 or national BMS protocol over UHF/VHF or wideband radio. |
| Tactical Data Link Processor | 50F57258 | |
| Target Detection and Tracking | 55F53219 | System function of Remote Weapon Station (RWS): acquires targets using EO/TI sensors, performs automatic video tracking with centroid/correlation tracker, maintains weapon-target alignment during vehicle motion. Inputs: sensor video streams (EO 640x480 day, TI 640x480 LWIR), vehicle motion (IMU/gyro), operator designation. Outputs: target position (azimuth/elevation/range), track quality metric, tracking error signal to servo loop. Performance: 0.5 mrad RMS tracking error on 30 km/h crossing target at 500m, 10 Hz update rate. |
| Target Tracking Processor | D1F77219 | Dedicated video processing board within the FCS that runs the auto-tracking algorithm. Receives compressed H.264 video frames from the EOSA at 50Hz via GigE. Implements template-matching and Kalman filter-based tracker to maintain a 3D target state estimate (position, velocity). Outputs target centroid in image coordinates and angular track error at 50Hz to the Fire Control Computer. Falls back to inertial hold mode when image quality drops below threshold. |
| Thermal Imaging Camera | D4EC5019 | Uncooled or cooled LWIR (8-12 µm) staring focal plane array providing continuous video to the Fire Control Computer and Operator Control Unit. Minimum 0.3 mrad IFOV. Image stabilised against platform vibration to 5 Hz-30 Hz using a 2-axis gimbal. Provides detection of man-size target at ≥3 km in STANAG 4347 standard atmosphere. Digital video output via GigE Vision at 50Hz frame rate. |
| Turret Drive Assembly | DEF51018 | Subsystem of Remote Weapon Station (RWS): dual-axis (azimuth 360° continuous, elevation -20° to +60°) servo-driven turret with brushless DC motors, harmonic drives, optical encoders (21-bit resolution), and spring-applied/electrically-released mechanical brakes. Gyro-stabilised pointing with 0.2 mrad accuracy under MIL-STD-810H Cat 4/8 vibration. Slew rates: 60°/s azimuth, 40°/s elevation. Structural design for 25kN recoil load. NATO turret ring interface. IP67 sealed bearings and slip ring for continuous rotation. |
| Turret Drive Controller | 55F57208 | Real-time motion controller executing closed-loop PID position and velocity control for azimuth and elevation axes. Receives fire control aiming demands at 50Hz from Fire Control Computer via PCIe, executes control law at 1kHz, outputs PWM commands to motor drives. Implements software velocity and travel limits. Monitors encoder health and motor current. Reports turret position at 50Hz to FCS and status at 10Hz to OCU. |
| Turret Position Encoder Assembly | D4E55018 | Dual-redundant absolute position encoders on the azimuth and elevation axes providing 20-bit angular position data at 1kHz to the Turret Drive Controller. Primary encoder is optical absolute; secondary is magnetic incremental for fault detection. Cross-comparison between channels detects encoder failure within 10ms. Output fed to both TDC and SIS for safe-state monitoring. |
| Turret Stabilisation and Drive Control | 55F53019 | System function of Remote Weapon Station (RWS): controls azimuth and elevation servo motors to point the weapon and sensors at commanded bearings with stabilisation against vehicle motion. Uses gyroscope/IMU feedback for disturbance rejection. Inputs: commanded bearing (from tracker or operator), vehicle attitude (IMU), encoder position feedback. Outputs: motor drive signals, brake commands. Performance: 60°/s azimuth slew, 40°/s elevation, 0.2 mrad pointing accuracy under MIL-STD-810H vibration. |
| Uncommanded turret motion | 14400201 | Hazard in RWS: turret traverses or elevates without operator command due to servo controller fault, encoder failure, or software error. Consequence: crushing or striking of personnel working near the vehicle (e.g., dismounted infantry, maintenance crew). High angular velocity of turret (up to 60 deg/s) combined with weapon mass (50-150 kg) creates lethal kinetic energy. Can occur in surveillance, engagement, or maintenance modes. |
| Uncommanded weapon discharge | 50400211 | Hazard in RWS: weapon fires without operator command due to electrical fault in firing circuit, software error in fire control computer, or electromagnetic interference triggering the solenoid. Consequence: death or serious injury to friendly forces, civilians, or damage to own vehicle. Can occur in any mode where ammunition is loaded. Most critical single-point failure in the system. |
| Urban patrol engagement scenario | 55F53231 | Normal operations scenario: Mechanized infantry section conducts mounted patrol in urban area. Vehicle commander (VC) operates RWS in surveillance mode, scanning rooftops and alleyways with thermal imager during early morning patrol. VC identifies suspected hostile with RPG on third-floor balcony at 200m. VC switches to narrow FOV, confirms threat through day camera, reports to platoon commander. On authorization, VC transitions to engagement mode, arms weapon, auto-tracker locks target, ballistic solution computed for 200m range and 15-degree elevation. VC fires 3-round burst of 12.7mm. Post-engagement, VC returns to surveillance mode and continues patrol. |
| Vehicle Commander (RWS Operator) | 008578F9 | Primary operator of the Remote Weapon Station: commands and controls the RWS from inside the armored vehicle, responsible for target acquisition, identification, and engagement decisions. Requires situational awareness through RWS sensors while maintaining command of the vehicle and its crew. Operates under rules of engagement. Typically a non-commissioned officer with weapons qualification. |
| Vehicle Crew (Driver and Loader) | 018D10A8 | Other crew members of the RWS-equipped vehicle: driver and loader/gunner. Affected by RWS vibration, noise, and recoil forces transmitted through the hull. Driver relies on VC for route security via RWS surveillance. Loader responsible for ammunition replenishment and may need to access turret for stoppages. |
| Video Compression and Network Interface Module | D4F57018 | H.264/H.265 hardware video compression module in the RWS CIU. Receives uncompressed YUV video from the EOSA (daylight and thermal channels) at up to 30fps, 1280x1024 resolution. Compresses to target bitrate of 2-8Mbps and encapsulates in RTP/UDP over GigabitEthernet for BMS transmission. Includes dual-port GigE switch capability for internal RWS network. Operates at 28VDC, generates up to 8W heat load. Compliance: MIL-STD-810G temperature/vibration. |
| Weapon and Ammunition Handling Assembly | DFE51019 | Subsystem of Remote Weapon Station (RWS): weapon cradle mounting a 12.7mm or 7.62mm machine gun with powered belt feed mechanism. Contains: dual-path flexible chute from 400-round magazine, ammunition type sensor (optical), electronic round counter, feed motor with jam detection, spent case and link ejection chute, quick-change barrel interface. STANAG 4090 compatible links. Barrel change by single maintainer in <15 min. Recoil buffer absorbs 25kN peak impulse. Weapon elevation driven by TDA but mechanical stops are in WAH. |
| Weapon Control Interface | 50F57A19 | Hardware/firmware interface within the FCS that translates Fire Control Computer firing commands into weapon-specific electrical signals. Manages trigger solenoid activation timing, burst counter, cook-off timing enforcement, and misfire handling sequences. Receives FIRE/CEASE/SAFE commands from FCC over RS-422 link. Outputs 28VDC firing solenoid drive pulse to the weapon trigger mechanism via the Hardware Firing Interlock Relay. Logs round count and fault codes to FCC. |
| Weapon Cradle and Mount | CE851018 | Structural mechanical interface between the weapon receiver and the RWS turret elevation axis. Transmits azimuth and elevation angles from the turret drive to the weapon bore line. Must withstand 25kN peak recoil load from sustained fire cycles with zero permanent deformation. Includes weapon locking latch for secure retention during vehicle mobility and quick-release for barrel change. |
| Weapon Safing and Interlock Management | 51F57B19 | System function of Remote Weapon Station (RWS): manages the safety state machine for weapon discharge — monitors E-STOP, safety interlocks, control link heartbeat, maintenance mode, and operator arm/safe commands. Controls hardware firing interlock relay (SIL 3) and software fire enable gate. Outputs: fire-enable/inhibit signal, safe-state command to turret drives. Performance: 500ms maximum transition to safe state from any trigger. Independent hardware watchdog with 200ms timeout. |
| Weapons System Maintainer | 00843AF9 | Armourer or electronics technician responsible for preventive and corrective maintenance of the RWS. Performs barrel changes, LRU replacement, cable harness repair, software updates, and diagnostic testing. Works in the turret hazard zone during maintenance. Requires lockout-tagout procedures and maintenance mode safety interlocks. |
| Component | Belongs To |
|---|---|
| Electro-Optical Sensor Assembly | Remote Weapon Station (RWS) |
| Fire Control System | Remote Weapon Station (RWS) |
| Turret Drive Assembly | Remote Weapon Station (RWS) |
| Operator Control Unit | Remote Weapon Station (RWS) |
| Safety Interlock System | Remote Weapon Station (RWS) |
| Weapon and Ammunition Handling Assembly | Remote Weapon Station (RWS) |
| Power Distribution Unit | Remote Weapon Station (RWS) |
| Communications Interface Unit | Remote Weapon Station (RWS) |
| Dual-Channel Safety Controller | Safety Interlock System |
| Hardware Firing Interlock Relay | Safety Interlock System |
| Arming Key Switch Assembly | Safety Interlock System |
| E-stop and Link Watchdog Module | Safety Interlock System |
| Safe State Output Driver | Safety Interlock System |
| Fire Control Computer | Fire Control System |
| Target Tracking Processor | Fire Control System |
| Ballistic Computation Module | Fire Control System |
| Weapon Control Interface | Fire Control System |
| Weapon Cradle and Mount | Weapon and Ammunition Handling Assembly |
| Recoil Buffer and Damping System | Weapon and Ammunition Handling Assembly |
| Ammunition Magazine Assembly | Weapon and Ammunition Handling Assembly |
| Belt Feed and Transfer Mechanism | Weapon and Ammunition Handling Assembly |
| Barrel Change Mechanism | Weapon and Ammunition Handling Assembly |
| Azimuth Drive Motor and Gearbox | Turret Drive Assembly |
| Elevation Drive Motor and Gearbox | Turret Drive Assembly |
| Turret Drive Controller | Turret Drive Assembly |
| Azimuth Slip Ring Assembly | Turret Drive Assembly |
| Turret Position Encoder Assembly | Turret Drive Assembly |
| Thermal Imaging Camera | Electro-Optical Sensor Assembly |
| Daylight Television Camera | Electro-Optical Sensor Assembly |
| Laser Rangefinder | Electro-Optical Sensor Assembly |
| Sensor Head Stabilisation Platform | Electro-Optical Sensor Assembly |
| Operator Display Unit | Operator Control Unit |
| Gunner Hand Controller | Operator Control Unit |
| OCU Control Processing Unit | Operator Control Unit |
| Tactical Data Link Processor | Communications Interface Unit |
| Video Compression and Network Interface Module | Communications Interface Unit |
| CAN Bus and Serial Protocol Gateway | Communications Interface Unit |
| EMC Filter and Surge Protection Assembly | Communications Interface Unit |
| Primary Power Input Filter and Surge Arrester | Power Distribution Unit |
| DC-DC Converter Array | Power Distribution Unit |
| Power Distribution and Protection Module | Power Distribution Unit |
| Power Monitor and Control Unit | Power Distribution Unit |
| channel safety controller | Safety Interlock System |
| From | To |
|---|---|
| Dual-Channel Safety Controller | Hardware Firing Interlock Relay |
| Dual-Channel Safety Controller | Safe State Output Driver |
| Arming Key Switch Assembly | Dual-Channel Safety Controller |
| E-stop and Link Watchdog Module | Dual-Channel Safety Controller |
| Target Tracking Processor | Fire Control Computer |
| Fire Control Computer | Ballistic Computation Module |
| Fire Control Computer | Weapon Control Interface |
| Ammunition Magazine Assembly | Belt Feed and Transfer Mechanism |
| Belt Feed and Transfer Mechanism | Weapon Cradle and Mount |
| Weapon Cradle and Mount | Recoil Buffer and Damping System |
| Barrel Change Mechanism | Weapon Cradle and Mount |
| Turret Drive Controller | Azimuth Drive Motor and Gearbox |
| Turret Drive Controller | Elevation Drive Motor and Gearbox |
| Turret Position Encoder Assembly | Turret Drive Controller |
| Azimuth Slip Ring Assembly | Turret Drive Controller |
| Thermal Imaging Camera | Sensor Head Stabilisation Platform |
| Daylight Television Camera | Sensor Head Stabilisation Platform |
| Laser Rangefinder | Sensor Head Stabilisation Platform |
| OCU Control Processing Unit | Operator Display Unit |
| Gunner Hand Controller | OCU Control Processing Unit |
| Tactical Data Link Processor | Battle Management System |
| Video Compression and Network Interface Module | Tactical Data Link Processor |
| CAN Bus and Serial Protocol Gateway | Fire Control Computer |
| Power Distribution and Protection Module | Safety Interlock System |
| Power Monitor and Control Unit | Fire Control Computer |
| Primary Power Input Filter and Surge Arrester | DC-DC Converter Array |
| Primary Power Input Filter and Surge Arrester | Power Distribution and Protection Module |
| Component | Output |
|---|---|
| Dual-Channel Safety Controller | firing-enable-signal |
| Dual-Channel Safety Controller | brake-release-command |
| Hardware Firing Interlock Relay | firing-circuit-state |
| Arming Key Switch Assembly | arm-key-status-signal |
| E-stop and Link Watchdog Module | safe-state-trigger-signal |
| Safe State Output Driver | actuator-drive-signals |
| Fire Control Computer | ballistic fire solution and servo pointing demands |
| Target Tracking Processor | target state estimate and angular track error at 50Hz |
| Ballistic Computation Module | azimuth and elevation corrections in mrad |
| Weapon Control Interface | weapon trigger solenoid firing pulse |
| Recoil Buffer and Damping System | attenuated recoil force |
| Ammunition Magazine Assembly | round-count status |
| Belt Feed and Transfer Mechanism | chambered round |
| Barrel Change Mechanism | barrel retention status |
| Tactical Data Link Processor | MIL-STD-6016 tactical data messages |
| Video Compression and Network Interface Module | compressed sensor video RTP stream |
| CAN Bus and Serial Protocol Gateway | vehicle status UDP datagrams |
| EMC Filter and Surge Protection Assembly | conducted emissions suppression |
| DC-DC Converter Array | regulated 12VDC 5VDC 3.3VDC rails |
| Power Distribution and Protection Module | switched protected 28VDC subsystem feeds |
| Power Monitor and Control Unit | power telemetry and fault codes |