Hazard & Risk Analysis (HRA) — ISO/IEC/IEEE 15289 — Report | IEC 61508 Phase 3
Generated 2026-03-27 — UHT Journal / universalhex.org
| Hazard | Severity | Frequency | SIL | Safe State |
|---|---|---|---|---|
| H-001: Uncommanded weapon discharge due to electrical fault, software error, or EMI | catastrophic | rare | SIL 3 | firing circuit de-energised, mechanical sear engaged, weapon on safe |
| H-002: Uncommanded turret motion crushing or striking personnel | critical | low | SIL 2 | turret drives de-energised, mechanical brakes engaged on both axes |
| H-005: Ammunition cookoff from sustained firing heat or vehicle fire exposure | catastrophic | rare | SIL 2 | ammunition isolated from heat source, crew evacuated, fire suppression activated |
| H-006: Loss of operator control while weapon armed due to cable damage or electronics failure | critical | medium | SIL 2 | weapon automatically safed within 500ms of link loss detection |
| H-004: Friendly fire due to target misidentification via degraded sensors or limited FOV | catastrophic | low | SIL 2 | weapon on safe, operator alerted to identification uncertainty |
| H-007: Software fault causing uncommanded fire via state machine corruption or race condition | catastrophic | rare | SIL 3 | hardware firing interlock independent of software prevents discharge |
| H-003: Failure to transition to safe state when commanded | catastrophic | rare | SIL 3 | independent hardware safety forces firing circuit open and drives de-energised |
| Ref | SIL | Requirement | V&V |
|---|---|---|---|
| ARC-REQ-006 | SIL 3 | ARC: Safety Interlock System 1oo2D redundant channel architecture — The Dual-Channel Safety Controller implements 1oo2D (one-out-of-two with diagnosti... | Inspection |
| ARC-REQ-010 | SIL 2 | ARC: Turret Drive Assembly — Dual-axis motion control with slip ring power transfer and dual-redundant encoders. Separate azimuth and elevation motor-... | Inspection |
| ARC-REQ-011 | SIL 2 | ARC: Electro-Optical Sensor Assembly — Common stabilised platform with separate day and thermal channels. The EOSA mounts the thermal imager, daylight... | Inspection |
| IFC-REQ-009 | SIL 3 | The interface between the Safety Interlock System and the Weapon and Ammunition Handling Assembly SHALL be a hardwired normally-open relay contact (IE... | Test |
| IFC-REQ-010 | SIL 2 | The interface between the Safety Interlock System and the Turret Drive Assembly SHALL provide a hardwired brake-release signal; when de-asserted, spri... | Test |
| IFC-REQ-011 | SIL 3 | The interface between the Arming Key Switch Assembly and the Dual-Channel Safety Controller SHALL be a direct hardwired 28VDC discrete signal per key ... | Test |
| IFC-REQ-012 | SIL 2 | The interface between the E-stop and Link Watchdog Module and the Dual-Channel Safety Controller SHALL be a dual hardwired discrete signal (one per ch... | Test |
| IFC-REQ-013 | SIL 3 | The interface between the Dual-Channel Safety Controller and the Hardware Firing Interlock Relay SHALL be a 24VDC energise signal with both controller... | Test |
| IFC-REQ-014 | SIL 2 | The interface between the Dual-Channel Safety Controller and the Safe State Output Driver SHALL carry separate drive commands for each actuator output... | Test |
| IFC-REQ-018 | SIL 2 | The interface between the Barrel Change Mechanism and the Safety Interlock System SHALL transmit the BARREL-NOT-LOCKED signal as a hardwired 24VDC dis... | Test |
| IFC-REQ-021 | SIL 2 | The interface between the Fire Control Computer and the Turret Drive Controller SHALL transmit weapon aiming demand packets at 50Hz via PCIe, with azi... | Test |
| IFC-REQ-023 | SIL 2 | The interface between the Electro-Optical Sensor Assembly and the Fire Control Computer SHALL transmit simultaneous thermal and daylight video streams... | Test |
| IFC-REQ-028 | SIL 3 | The interface between the Power Distribution and Protection Module and the Safety Interlock System SHALL provide an always-on, non-load-shedded 28VDC ... | Test |
| SUB-REQ-001 | SIL 3 | The Dual-Channel Safety Controller SHALL implement a 1oo2D (one-out-of-two with diagnostics) redundant channel architecture with independent processin... | Test |
| SUB-REQ-002 | SIL 3 | The Dual-Channel Safety Controller SHALL transition to ARMED state only when the Arming Key Switch Assembly asserts key-armed status AND an operator A... | Test |
| SUB-REQ-003 | SIL 3 | The Hardware Firing Interlock Relay SHALL be a normally-open, fail-safe electromechanical relay installed in series with the weapon firing solenoid, e... | Test |
| SUB-REQ-004 | SIL 3 | The Hardware Firing Interlock Relay SHALL de-energise and open the firing solenoid circuit within 10ms of the Dual-Channel Safety Controller withdrawi... | Test |
| SUB-REQ-005 | SIL 2 | The E-stop and Link Watchdog Module SHALL assert a safe-state trigger signal to the Dual-Channel Safety Controller within 200ms of the last valid oper... | Test |
| SUB-REQ-006 | SIL 2 | When Emergency Stop is activated, the Safe State Output Driver SHALL de-energise all actuator outputs (both axis brake solenoids and weapon firing inh... | Test |
| SUB-REQ-007 | SIL 3 | While the Arming Key Switch Assembly is in MAINTENANCE-LOCKOUT position, the Safety Interlock System SHALL prevent transition to ARMED state regardles... | Test |
| SUB-REQ-008 | SIL 3 | When the Dual-Channel Safety Controller detects a fault via cross-channel comparison, internal diagnostic monitor, or output verification loop, the Sa... | Test |
| SUB-REQ-013 | SIL 2 | The Fire Control Computer SHALL execute the pointing error closed-loop at not less than 50Hz, producing azimuth and elevation demands to the Turret Dr... | Test |
| SUB-REQ-014 | SIL 2 | The Target Tracking Processor SHALL maintain auto-track on a target with a minimum IR contrast of 0.5K with a track error not exceeding 0.2 mrad RMS a... | Test |
| SUB-REQ-015 | SIL 2 | The Ballistic Computation Module SHALL complete a new fire solution within 20ms of receiving an updated laser rangefinder range measurement, accountin... | Test |
| SUB-REQ-016 | SIL 2 | The Weapon Control Interface SHALL activate the weapon trigger solenoid within 5ms of receiving a FIRE command from the Fire Control Computer, and sha... | Test |
| SUB-REQ-017 | SIL 2 | When the Safety Interlock System asserts the SAFE_STATE signal, the Fire Control System SHALL immediately issue a CEASE command to the Weapon Control ... | Test |
| SUB-REQ-018 | SIL 2 | While operating in Degraded Mode with the thermal imaging channel failed, the Fire Control System SHALL maintain automatic target tracking using the d... | Test |
| SUB-REQ-022 | SIL 2 | The Weapon Cradle and Mount SHALL withstand a peak recoil load of 25kN from sustained burst fire without permanent deformation of mounting interfaces ... | Test |
| SUB-REQ-023 | SIL 2 | The Recoil Buffer and Damping System SHALL attenuate peak recoil force from 25kN weapon output to not more than 5kN transmitted to the turret structur... | Test |
| SUB-REQ-024 | SIL 2 | The Barrel Change Mechanism SHALL enable a single maintainer to remove a hot barrel and install a replacement barrel within 30 seconds, using no tools... | Demonstration |
| SUB-REQ-025 | SIL 2 | When the Barrel Change Mechanism barrel retention sensor reads UNLOCKED, the Weapon and Ammunition Handling Assembly SHALL assert a BARREL-NOT-LOCKED ... | Test |
| SUB-REQ-026 | SIL 2 | The Turret Drive Assembly SHALL achieve a weapon pointing accuracy of 0.1 mrad RMS under all combinations of vehicle velocity up to 30 km/h on cross-c... | Test |
| SUB-REQ-027 | SIL 2 | When the Safety Interlock System asserts DRIVE-INHIBIT, the Turret Drive Assembly SHALL cease all azimuth and elevation motion within 200ms, applying ... | Test |
| SUB-REQ-028 | SIL 2 | The Azimuth Drive Motor and Gearbox SHALL provide continuous 360° azimuth rotation at slew rates from 0.1°/s to 60°/s, with a maximum angular accelera... | Test |
| SUB-REQ-029 | SIL 2 | The Thermal Imaging Camera SHALL provide a minimum instantaneous field of view (IFOV) of 0.3 mrad in the narrow field of view (NFOV) channel, enabling... | Test |
| SUB-REQ-030 | SIL 2 | The Laser Rangefinder SHALL measure target range to an accuracy of ±5m (1-sigma) across ranges from 200m to 4000m, and SHALL be classified as eye-safe... | Test |
| SUB-REQ-031 | SIL 2 | While the Thermal Imaging Camera is in FAILED state, the Electro-Optical Sensor Assembly SHALL maintain Daylight Television Camera and Laser Rangefind... | Test |
| SUB-REQ-042 | SIL 3 | The Dual-Channel Safety Controller SHALL operate from a 28VDC supply (22–32V operating range per MIL-STD-1275E), with a maximum steady-state current d... | Test |
| SUB-REQ-043 | SIL 3 | The Hardware Firing Interlock Relay SHALL be energised from 24VDC (18–30V operating range), draw a coil current not exceeding 200mA in the energised s... | Test |
| SUB-REQ-044 | SIL 2 | The Elevation Drive Motor and Gearbox SHALL provide weapon elevation coverage from -20° (depression) to +60° (elevation) at a slew rate of not less th... | Test |
| SUB-REQ-045 | SIL 2 | The Day Camera SHALL provide visible-band imaging at a minimum resolution of 0.3 mrad/pixel and a minimum frame rate of 25 frames per second, with a c... | Test |
| SUB-REQ-046 | SIL 2 | The Fire Control System SHALL achieve a Mean Time Between Critical Failures (MTBCF) of not less than 500 hours in the field operational environment as... | Demonstration |
| SUB-REQ-047 | SIL 2 | The Weapon and Ammunition Handling Assembly SHALL enable replacement of the weapon barrel and clearing of a round jam within a Mean Time To Repair (MT... | Demonstration |
| SUB-REQ-048 | SIL 2 | The Fire Control Computer SHALL execute an automated boresight verification routine at system power-on and on operator demand, comparing the weapon ax... | Test |
| SUB-REQ-049 | SIL 2 | The Sensor Stabilisation Platform SHALL provide a two-axis gyrostabilised mount for the EOSA sensor head, maintaining residual line-of-sight error bel... | Test |
| SUB-REQ-051 | SIL 3 | The Hardware Firing Interlock Relay SHALL use gold-alloy bifurcated contacts rated at minimum 10A continuous at 28VDC and SHALL maintain contact resis... | Test |
| SUB-REQ-052 | SIL 2 | The Fire Control Computer SHALL implement a hardware watchdog timer with a 100ms timeout that independently de-energises the weapon control interface ... | Test |
| SUB-REQ-053 | SIL 2 | The Weapon Control Interface SHALL implement a fail-safe output stage such that loss of power, loss of communication from the FCC, or any detected out... | Test |
| SUB-REQ-059 | SIL 2 | The Ballistic Computation Module SHALL validate the integrity of all fire solution inputs (LRF range, target angular velocity, atmospheric corrections... | Test |
| SUB-REQ-061 | SIL 3 | The Safety Interlock System SHALL operate across the ambient temperature range -40°C to +70°C and SHALL maintain its SIL 3 safety function without deg... | Test |
| SUB-REQ-062 | SIL 3 | The Hardware Firing Interlock Relay SHALL be a hermetically sealed relay rated to operate across the temperature range -55°C to +125°C with a rated co... | Test |
| SUB-REQ-063 | SIL 2 | The Fire Control System SHALL provide stabilisation compensation to the ballistic solution such that first-round hit probability is not less than 0.7 ... | Test |
| SUB-REQ-064 | SIL 2 | The Turret Drive Assembly SHALL provide continuous 360° azimuth traverse and -20° to +60° elevation coverage, with slew rates not less than 60°/s in a... | Test |
| SUB-REQ-065 | SIL 2 | While in Degraded Operation mode with the thermal imager inactive, the Electro-Optical Sensor Assembly SHALL maintain a minimum day-camera video outpu... | Test |
| SUB-REQ-067 | SIL 2 | The Fire Control System SHALL execute an automated boresight verification sequence upon entry into Operational mode from Maintenance mode, comparing d... | Test |
| SUB-REQ-068 | SIL 3 | The Safety Interlock System's Dual-Channel Safety Controller SHALL be packaged as a dedicated sealed LRU conforming to STANAG 4370 AECTP 400 environme... | Inspection |
| SUB-REQ-073 | SIL 2 | When the Fire Control Computer detects an internal processing fault, the Fire Control System SHALL inhibit weapon firing, annunciate a fault code to t... | Test |
| SUB-REQ-074 | SIL 2 | The Weapon Control Interface SHALL implement a hardware-enforced dual-confirmation logic where both the operator fire command and a valid safety contr... | Test |
| SUB-REQ-075 | SIL 2 | When the Target Tracking Processor loses target track for more than 500ms, the Fire Control System SHALL automatically deselect the engagement target,... | Test |
| SUB-REQ-076 | SIL 2 | The Ballistic Computation Module SHALL accept firing table and meteorological data updates only from authenticated, cryptographically signed sources, ... | Test |
| SUB-REQ-077 | SIL 3 | The Power Distribution Unit SHALL implement independent fused circuit branches for safety-critical loads (firing interlock relay, safety controller, s... | Test |
| SUB-REQ-078 | SIL 2 | When the primary (optical) imaging channel fails, the Electro-Optical Sensor Assembly SHALL continue providing thermal imaging data to the Fire Contro... | Demonstration |
| SUB-REQ-079 | SIL 2 | The Fire Control System SHALL enforce that the operator explicitly acknowledges positive target identification (IFF status FRIEND, NEUTRAL, or UNKNOWN... | Inspection |
| SUB-REQ-083 | SIL 2 | When the Fire Control Computer hardware watchdog asserts a system reset, the Fire Control Computer SHALL complete a controlled restart, re-run Built-I... | Test |
| SYS-REQ-007 | SIL 3 | The Remote Weapon Station SHALL implement a two-action weapon arming sequence requiring explicit operator ARM command followed by independent authoriz... | Test |
| SYS-REQ-008 | SIL 3 | The Remote Weapon Station SHALL provide a hardware firing interlock independent of the fire control software that physically prevents weapon discharge... | Test |
| SYS-REQ-009 | SIL 2 | When the operator control link is lost, the Remote Weapon Station SHALL safe the weapon firing circuit and de-energise turret drives within 500ms of l... | Test |
| SYS-REQ-010 | SIL 2 | When Emergency Stop is activated, the Remote Weapon Station SHALL de-energise all turret drive motors and engage mechanical brakes on both azimuth and... | Test |
| VER-REQ-002 | SIL 3 | Verify SUB-REQ-002: Inject arming command sequences in SIS test harness. Test cases: (a) key only — expect ARMED state NOT entered; (b) software ARM o... | Test |
| VER-REQ-003 | SIL 2 | Verify SUB-REQ-005: Simulate data link heartbeat dropout at SIS bench test harness. Inject heartbeat at 10Hz, then drop all packets. Measure time from... | Test |
| VER-REQ-004 | SIL 3 | Verify SUB-REQ-008: Inject simulated faults into SIS test harness (channel mismatch, diagnostic monitor trip, output feedback discrepancy). For each f... | Test |
| VER-REQ-005 | SIL 3 | Verify IFC-REQ-011: Connect Arming Key Switch Assembly to SIS test harness. Rotate key through all 3 positions (SAFE, ARMED, MAINTENANCE-LOCKOUT). Mea... | Test |
| VER-REQ-006 | SIL 3 | Verify IFC-REQ-013: Apply 24VDC energise command from SIS test harness to Hardware Firing Interlock Relay. Test AND-gate logic by asserting channel A ... | Test |
| VER-REQ-007 | SIL 3 | The Hardware Firing Interlock Relay shall be verified to be a normally-open fail-safe relay by de-energising the coil and confirming the firing soleno... | Test |
| VER-REQ-008 | SIL 3 | The Hardware Firing Interlock Relay shall be verified to de-energise and open the firing solenoid circuit within 10ms of receiving a FIRE-INHIBIT comm... | Test |
| VER-REQ-009 | SIL 2 | The Safe State Output Driver shall be verified to de-energise all actuator outputs and assert the SSOD-SAFE status signal within 50ms of Emergency Sto... | Test |
| VER-REQ-010 | SIL 3 | While the Arming Key Switch Assembly is in MAINTENANCE-LOCKOUT position, the Safety Interlock System shall be verified to maintain firing circuit inhi... | Inspection |
| VER-REQ-011 | SIL 3 | The Safety Interlock System shall be verified to operate correctly from supply voltages across the 22–32VDC nominal range. Test shall apply minimum (2... | Test |
| VER-REQ-012 | SIL 3 | The interface between the Safety Interlock System and the Weapon and Ammunition Handling Assembly shall be verified by injecting an arming command thr... | Test |
| VER-REQ-013 | SIL 2 | The interface between the Safety Interlock System and the Turret Drive Assembly shall be verified by injecting a drive command to both azimuth and ele... | Test |
| VER-REQ-016 | SIL 2 | Verify SUB-REQ-017: With FCS in ARMED state and firing sequence active, assert SIS SAFE_STATE signal via hardware injection. Verify WCI CEASE assertio... | Test |
| VER-REQ-018 | SIL 2 | Verify IFC-REQ-018: Connect Barrel Change Mechanism barrel retention sensor to SIS test harness. Test barrel locked (0V) and unlocked (24V) states, ve... | Test |
| VER-REQ-020 | SIL 2 | Verify SUB-REQ-022: Mount production Weapon Cradle and Mount on structural test rig. Apply 25kN static load at weapon receiver interface. Measure alig... | Test |
| VER-REQ-021 | SIL 2 | Verify IFC-REQ-021: Connect FCC to TDC over production PCIe interface. Inject 50Hz aiming demand stream from FCC simulator, measure received demand ra... | Test |
| VER-REQ-022 | SIL 2 | Verify IFC-REQ-023: Connect EOSA to FCC integration bench. Stream simultaneous thermal and daylight channels at 50Hz. Measure frame-to-FCC buffer time... | Test |
| VER-REQ-025 | SIL 3 | Verify IFC-REQ-028: Apply controlled load shedding to all non-SIS subsystem branches simultaneously; measure SIS supply rail voltage throughout. Pass ... | Test |
| VER-REQ-036 | SIL 2 | Verify SUB-REQ-052: supplementary verification covering WCI SAFE state transition. On FCC hardware, confirm that watchdog starvation results in WCI sa... | Test |
| VER-REQ-038 | SIL 3 | Verify SUB-REQ-042: Apply 22V, 28V, and 32VDC to DCSC power input; verify DCSC remains in safe-state-ready condition and current draw ≤500mA per chann... | Test |
| VER-REQ-039 | SIL 3 | Verify SUB-REQ-043: Apply 18V, 24V, and 30VDC to HFIR coil; measure coil current, operate time, and release time using oscilloscope. Pass criterion: c... | Test |
| VER-REQ-051 | SIL 2 | Verify : Inject 1000 valid fire solution input frames on BCM test bench; then inject 100 frames with corrupted CRC. Verify: (a) all valid frames accep... | Test |
| VER-REQ-052 | SIL 2 | Verify SUB-REQ-050: Subject FCS LRU to MIL-STD-810H Method 507.6 (Humidity) and Method 514.8 (Vibration) test profiles. Pass criteria: LRU powers on a... | Test |
| VER-REQ-053 | SIL 3 | Verify SUB-REQ-051: Mount HFIR sample on MIL-STD-202 salt-spray test rig; expose for 1000 hours per Method 101. Then actuate relay for 50,000 cycles. ... | Test |
| VER-REQ-057 | SIL 3 | Verify SUB-REQ-061: Subject SIS Dual-Channel Safety Controller to MIL-STD-810H Method 501.7 (High Temperature, +70°C) and Method 502.7 (Low Temperatur... | Test |
| VER-REQ-058 | SIL 3 | Verify SUB-REQ-062: Obtain MIL-PRF-39016 qualification test report for selected relay component. Measure contact resistance at -55°C, +25°C, and +125°... | Inspection |
| VER-REQ-059 | SIL 2 | Verify SUB-REQ-014: Mount a calibrated thermal target (0.5K IR contrast delta-T above background) at 1000m in controlled environment. Command the Targ... | Test |
| VER-REQ-060 | SIL 2 | Verify SUB-REQ-018: Disable the thermal imaging channel in the FCS software and command engagement of a 2m x 2m visual contrast target at 200m range. ... | Test |
| VER-REQ-062 | SIL 2 | Verify SUB-REQ-023: Mount the weapon system on a force measurement platform with calibrated load cells on the mounting interface. Fire 10 rounds at fu... | Test |
| VER-REQ-067 | SIL 2 | Verify SUB-REQ-011: Apply 20V, 28V, and 32VDC to the FCS power input using a programmable supply. Verify fire control processor, sensor interfaces, an... | Test |
| VER-REQ-068 | SIL 2 | Verify SUB-REQ-016: Inject a FIRE command from FCS simulator to Weapon Control Interface (WCI) using a calibrated signal generator. Measure time from ... | Test |
| VER-REQ-069 | SIL 2 | Verify SUB-REQ-063: Mount instrumented weapon system to vehicle test rig moving at 15 km/h on representative terrain; command engagement against 2m x ... | Test |
| VER-REQ-070 | SIL 2 | Verify SUB-REQ-064: Command TDA through full 360 degree azimuth sweep and -20 to +60 degree elevation sweep at rated slew rates with ice loading appli... | Test |
| VER-REQ-073 | SIL 3 | Verify SUB-REQ-068: Inspect Dual-Channel Safety Controller LRU against approved mechanical drawing. Confirm separate PCBs for each channel, electrical... | Inspection |
| VER-REQ-083 | SIL 3 | Verify IFC-REQ-012: Actuate E-stop while system is in Operational mode. Measure time from E-stop actuation to de-energisation of the firing relay and ... | Test |
| VER-REQ-084 | SIL 3 | Verify IFC-REQ-014: Inject a simulated SIS fault condition. Measure the signal timing on the DCSC-to-SSOD separate drive command lines for both channe... | Test |
| VER-REQ-088 | SIL 2 | Verify SUB-REQ-025: With barrel retention sensor set to UNLOCKED state via test fixture, command fire. Confirm firing circuit remains de-energised. Re... | Test |
| VER-REQ-098 | SIL 2 | Verify SUB-REQ-073: Inject a synthetic processing fault signal into the Fire Control Computer test interface while weapon is in fire-ready state. Conf... | Test |
| VER-REQ-099 | SIL 2 | Verify SUB-REQ-074: With weapon in fire-ready state, apply fire command alone (no safety controller agree) and confirm firing relay does not energise.... | Test |
| VER-REQ-103 | SIL 2 | Verify SUB-REQ-083: Power-cycle FCC three times using hardware watchdog timeout injection. Measure time from watchdog assertion to restoration of oper... | Test |
| VER-REQ-106 | SIL 2 | Verify SYS-REQ-010: With RWS on system integration test bench, weapon loaded and turret in motion at 30 deg/s azimuth, activate E-STOP at OCU. Measure... | Test |
| VER-REQ-107 | SIL 2 | Verify SYS-REQ-009: On system integration bench with RWS in Engagement mode (weapon armed, turret active), interrupt the operator control link (OCU CA... | Test |
| VER-REQ-108 | SIL 3 | Verify SYS-REQ-017: Submit complete RWS assembly to MIL-STD-461G (Requirements for the Control of Electromagnetic Interference Characteristics of Subs... | Test |
| VER-REQ-110 | SIL 3 | Verify SYS-REQ-012: Apply power to RWS after 4-hour cold soak at -46°C. Measure time from power application to either (a) Surveillance mode ready stat... | Test |
| VER-REQ-111 | SIL 3 | Verify SYS-REQ-008: On fully integrated RWS with FCS in Engagement mode and weapon ARMED, force the FCS main processor into a software exception state... | Test |
| VER-REQ-112 | SIL 3 | Verify SUB-REQ-077: Configure PDU test harness with three safety-critical branch loads (firing interlock relay simulator, safety controller supply, se... | Test |
| VER-REQ-113 | SIL 2 | Verify SUB-REQ-027: Connect SIS test harness to TDA servo controller. Establish normal azimuth slew at 30°/s. Command DRIVE-INHIBIT from SIS. Measure ... | Test |
| VER-REQ-114 | SIL 2 | Verify SUB-REQ-075: With FCS in Engagement mode and active auto-track on a designated target, inject a simulated target track dropout at TTP (suppress... | Test |
| VER-REQ-115 | SIL 2 | Verify SUB-REQ-047: With weapon system mounted to vehicle, weapon cleared and condition confirmed SAFE by SIS BIT. Provide two qualified armourers wit... | Demonstration |
| VER-REQ-116 | SIL 2 | Verify SUB-REQ-076: On FCS test bench, attempt to load firing table data via the BCM update interface using: (a) a valid authenticated packet with cor... | Test |
Goal Structuring Notation per GSN Community Standard v3. Top goal decomposes into hazard mitigation sub-goals, each supported by SIL-allocated requirements and verification evidence.
flowchart TD
G0["<b>G0: Top Goal</b><br/>Remote Weapon Station (RWS) is acceptably safe"]
S0{"<b>S0: Strategy</b><br/>Argument by hazard<br/>mitigation per IEC 61508"}
G0 --> S0
G1["<b>G1: H-001</b><br/>Uncommanded weapon discharge due to electrical fault, softwa...<br/>SIL 3"]
S0 --> G1
Sn0_0(["<b>IFC-REQ-009</b>"])
G1 --> Sn0_0
Sn0_1(["<b>SUB-REQ-061</b>"])
G1 --> Sn0_1
Sn0_2(["<b>SUB-REQ-062</b>"])
G1 --> Sn0_2
G2["<b>G2: H-002</b><br/>Uncommanded turret motion crushing or striking personnel<br/>SIL 2"]
S0 --> G2
Sn1_0(["<b>IFC-REQ-010</b>"])
G2 --> Sn1_0
Sn1_1(["<b>SYS-REQ-010</b>"])
G2 --> Sn1_1
Sn1_2(["<b>VER-REQ-106</b>"])
G2 --> Sn1_2
G3["<b>G3: H-005</b><br/>Ammunition cookoff from sustained firing heat or vehicle fir...<br/>SIL 2"]
S0 --> G3
G4["<b>G4: H-006</b><br/>Loss of operator control while weapon armed due to cable dam...<br/>SIL 2"]
S0 --> G4
Sn3_0(["<b>SYS-REQ-009</b>"])
G4 --> Sn3_0
Sn3_1(["<b>VER-REQ-107</b>"])
G4 --> Sn3_1
G5["<b>G5: H-004</b><br/>Friendly fire due to target misidentification via degraded s...<br/>SIL 2"]
S0 --> G5
Sn4_0(["<b>VER-REQ-114</b>"])
G5 --> Sn4_0
Sn4_1(["<b>VER-REQ-116</b>"])
G5 --> Sn4_1
G6["<b>G6: H-007</b><br/>Software fault causing uncommanded fire via state machine co...<br/>SIL 3"]
S0 --> G6
Sn5_0(["<b>IFC-REQ-009</b>"])
G6 --> Sn5_0
Sn5_1(["<b>SYS-REQ-007</b>"])
G6 --> Sn5_1
Sn5_2(["<b>SYS-REQ-008</b>"])
G6 --> Sn5_2
G7["<b>G7: H-003</b><br/>Failure to transition to safe state when commanded<br/>SIL 3"]
S0 --> G7
Sn6_0(["<b>SUB-REQ-017</b>"])
G7 --> Sn6_0
Sn6_1(["<b>SUB-REQ-061</b>"])
G7 --> Sn6_1
Sn6_2(["<b>SYS-REQ-008</b>"])
G7 --> Sn6_2 Machine-readable safety case structure. Import into GSN tools (Astah GSN, ASCE, NOR-STA).
# GSN Safety Case — Remote Weapon Station (RWS)
# Generated 2026-03-27
# Goal Structuring Notation (GSN) per GSN Community Standard v3
goals:
G0:
text: "Remote Weapon Station (RWS) is acceptably safe"
type: top-goal
supported_by: [S0]
strategies:
S0:
text: "Argument by hazard mitigation per IEC 61508"
supported_by: [G1, G2, G3, G4, G5, G6, G7]
G1:
text: "H-001: Uncommanded weapon discharge due to electrical fault, software error, or EMI"
sil: 3
safe_state: "firing circuit de-energised, mechanical sear engaged, weapon on safe"
supported_by: [IFC-REQ-009, SUB-REQ-061, SUB-REQ-062, SYS-REQ-007, SYS-REQ-008, VER-REQ-108, VER-REQ-110, VER-REQ-111, VER-REQ-112]
evidence: [VER-REQ-012, VER-REQ-057, VER-REQ-058, VER-REQ-111, SYS-REQ-017, SYS-REQ-012, SYS-REQ-008, SUB-REQ-077]
G2:
text: "H-002: Uncommanded turret motion crushing or striking personnel"
sil: 2
safe_state: "turret drives de-energised, mechanical brakes engaged on both axes"
supported_by: [IFC-REQ-010, SYS-REQ-010, VER-REQ-106, VER-REQ-110, VER-REQ-113]
evidence: [VER-REQ-013, VER-REQ-106, SYS-REQ-010, SYS-REQ-012, SUB-REQ-027]
G3:
text: "H-005: Ammunition cookoff from sustained firing heat or vehicle fire exposure"
sil: 2
safe_state: "ammunition isolated from heat source, crew evacuated, fire suppression activated"
supported_by: []
evidence: []
G4:
text: "H-006: Loss of operator control while weapon armed due to cable damage or electronics failure"
sil: 2
safe_state: "weapon automatically safed within 500ms of link loss detection"
supported_by: [SYS-REQ-009, VER-REQ-107]
evidence: [VER-REQ-107, SYS-REQ-009]
G5:
text: "H-004: Friendly fire due to target misidentification via degraded sensors or limited FOV"
sil: 2
safe_state: "weapon on safe, operator alerted to identification uncertainty"
supported_by: [VER-REQ-114, VER-REQ-116]
evidence: [SUB-REQ-075, SUB-REQ-076]
G6:
text: "H-007: Software fault causing uncommanded fire via state machine corruption or race condition"
sil: 3
safe_state: "hardware firing interlock independent of software prevents discharge"
supported_by: [IFC-REQ-009, SYS-REQ-007, SYS-REQ-008, VER-REQ-108, VER-REQ-111]
evidence: [VER-REQ-012, VER-REQ-111, SYS-REQ-017, SYS-REQ-008]
G7:
text: "H-003: Failure to transition to safe state when commanded"
sil: 3
safe_state: "independent hardware safety forces firing circuit open and drives de-energised"
supported_by: [SUB-REQ-017, SUB-REQ-061, SYS-REQ-008, VER-REQ-016, VER-REQ-106, VER-REQ-110, VER-REQ-112]
evidence: [VER-REQ-016, VER-REQ-057, VER-REQ-111, SUB-REQ-017, SYS-REQ-010, SYS-REQ-012, SUB-REQ-077]
solutions:
ARC-REQ-006:
text: "ARC: Safety Interlock System 1oo2D redundant channel architecture — The Dual-Channel Safety Controller implements 1oo2D "
verification: Inspection
sil: 3
ARC-REQ-010:
text: "ARC: Turret Drive Assembly — Dual-axis motion control with slip ring power transfer and dual-redundant encoders. Separat"
verification: Inspection
sil: 2
ARC-REQ-011:
text: "ARC: Electro-Optical Sensor Assembly — Common stabilised platform with separate day and thermal channels. The EOSA mount"
verification: Inspection
sil: 2
IFC-REQ-009:
text: "The interface between the Safety Interlock System and the Weapon and Ammunition Handling Assembly SHALL be a hardwired n"
verification: Test
sil: 3
IFC-REQ-010:
text: "The interface between the Safety Interlock System and the Turret Drive Assembly SHALL provide a hardwired brake-release "
verification: Test
sil: 2
IFC-REQ-011:
text: "The interface between the Arming Key Switch Assembly and the Dual-Channel Safety Controller SHALL be a direct hardwired "
verification: Test
sil: 3
IFC-REQ-012:
text: "The interface between the E-stop and Link Watchdog Module and the Dual-Channel Safety Controller SHALL be a dual hardwir"
verification: Test
sil: 2
IFC-REQ-013:
text: "The interface between the Dual-Channel Safety Controller and the Hardware Firing Interlock Relay SHALL be a 24VDC energi"
verification: Test
sil: 3
IFC-REQ-014:
text: "The interface between the Dual-Channel Safety Controller and the Safe State Output Driver SHALL carry separate drive com"
verification: Test
sil: 2
IFC-REQ-018:
text: "The interface between the Barrel Change Mechanism and the Safety Interlock System SHALL transmit the BARREL-NOT-LOCKED s"
verification: Test
sil: 2
IFC-REQ-021:
text: "The interface between the Fire Control Computer and the Turret Drive Controller SHALL transmit weapon aiming demand pack"
verification: Test
sil: 2
IFC-REQ-023:
text: "The interface between the Electro-Optical Sensor Assembly and the Fire Control Computer SHALL transmit simultaneous ther"
verification: Test
sil: 2
IFC-REQ-028:
text: "The interface between the Power Distribution and Protection Module and the Safety Interlock System SHALL provide an alwa"
verification: Test
sil: 3
SUB-REQ-001:
text: "The Dual-Channel Safety Controller SHALL implement a 1oo2D (one-out-of-two with diagnostics) redundant channel architect"
verification: Test
sil: 3
SUB-REQ-002:
text: "The Dual-Channel Safety Controller SHALL transition to ARMED state only when the Arming Key Switch Assembly asserts key-"
verification: Test
sil: 3
SUB-REQ-003:
text: "The Hardware Firing Interlock Relay SHALL be a normally-open, fail-safe electromechanical relay installed in series with"
verification: Test
sil: 3
SUB-REQ-004:
text: "The Hardware Firing Interlock Relay SHALL de-energise and open the firing solenoid circuit within 10ms of the Dual-Chann"
verification: Test
sil: 3
SUB-REQ-005:
text: "The E-stop and Link Watchdog Module SHALL assert a safe-state trigger signal to the Dual-Channel Safety Controller withi"
verification: Test
sil: 2
SUB-REQ-006:
text: "When Emergency Stop is activated, the Safe State Output Driver SHALL de-energise all actuator outputs (both axis brake s"
verification: Test
sil: 2
SUB-REQ-007:
text: "While the Arming Key Switch Assembly is in MAINTENANCE-LOCKOUT position, the Safety Interlock System SHALL prevent trans"
verification: Test
sil: 3
SUB-REQ-008:
text: "When the Dual-Channel Safety Controller detects a fault via cross-channel comparison, internal diagnostic monitor, or ou"
verification: Test
sil: 3
SUB-REQ-013:
text: "The Fire Control Computer SHALL execute the pointing error closed-loop at not less than 50Hz, producing azimuth and elev"
verification: Test
sil: 2
SUB-REQ-014:
text: "The Target Tracking Processor SHALL maintain auto-track on a target with a minimum IR contrast of 0.5K with a track erro"
verification: Test
sil: 2
SUB-REQ-015:
text: "The Ballistic Computation Module SHALL complete a new fire solution within 20ms of receiving an updated laser rangefinde"
verification: Test
sil: 2
SUB-REQ-016:
text: "The Weapon Control Interface SHALL activate the weapon trigger solenoid within 5ms of receiving a FIRE command from the "
verification: Test
sil: 2
SUB-REQ-017:
text: "When the Safety Interlock System asserts the SAFE_STATE signal, the Fire Control System SHALL immediately issue a CEASE "
verification: Test
sil: 2
SUB-REQ-018:
text: "While operating in Degraded Mode with the thermal imaging channel failed, the Fire Control System SHALL maintain automat"
verification: Test
sil: 2
SUB-REQ-022:
text: "The Weapon Cradle and Mount SHALL withstand a peak recoil load of 25kN from sustained burst fire without permanent defor"
verification: Test
sil: 2
SUB-REQ-023:
text: "The Recoil Buffer and Damping System SHALL attenuate peak recoil force from 25kN weapon output to not more than 5kN tran"
verification: Test
sil: 2
SUB-REQ-024:
text: "The Barrel Change Mechanism SHALL enable a single maintainer to remove a hot barrel and install a replacement barrel wit"
verification: Demonstration
sil: 2
SUB-REQ-025:
text: "When the Barrel Change Mechanism barrel retention sensor reads UNLOCKED, the Weapon and Ammunition Handling Assembly SHA"
verification: Test
sil: 2
SUB-REQ-026:
text: "The Turret Drive Assembly SHALL achieve a weapon pointing accuracy of 0.1 mrad RMS under all combinations of vehicle vel"
verification: Test
sil: 2
SUB-REQ-027:
text: "When the Safety Interlock System asserts DRIVE-INHIBIT, the Turret Drive Assembly SHALL cease all azimuth and elevation "
verification: Test
sil: 2
SUB-REQ-028:
text: "The Azimuth Drive Motor and Gearbox SHALL provide continuous 360° azimuth rotation at slew rates from 0.1°/s to 60°/s, w"
verification: Test
sil: 2
SUB-REQ-029:
text: "The Thermal Imaging Camera SHALL provide a minimum instantaneous field of view (IFOV) of 0.3 mrad in the narrow field of"
verification: Test
sil: 2
SUB-REQ-030:
text: "The Laser Rangefinder SHALL measure target range to an accuracy of ±5m (1-sigma) across ranges from 200m to 4000m, and S"
verification: Test
sil: 2
SUB-REQ-031:
text: "While the Thermal Imaging Camera is in FAILED state, the Electro-Optical Sensor Assembly SHALL maintain Daylight Televis"
verification: Test
sil: 2
SUB-REQ-042:
text: "The Dual-Channel Safety Controller SHALL operate from a 28VDC supply (22–32V operating range per MIL-STD-1275E), with a "
verification: Test
sil: 3
SUB-REQ-043:
text: "The Hardware Firing Interlock Relay SHALL be energised from 24VDC (18–30V operating range), draw a coil current not exce"
verification: Test
sil: 3
SUB-REQ-044:
text: "The Elevation Drive Motor and Gearbox SHALL provide weapon elevation coverage from -20° (depression) to +60° (elevation)"
verification: Test
sil: 2
SUB-REQ-045:
text: "The Day Camera SHALL provide visible-band imaging at a minimum resolution of 0.3 mrad/pixel and a minimum frame rate of "
verification: Test
sil: 2
SUB-REQ-046:
text: "The Fire Control System SHALL achieve a Mean Time Between Critical Failures (MTBCF) of not less than 500 hours in the fi"
verification: Demonstration
sil: 2
SUB-REQ-047:
text: "The Weapon and Ammunition Handling Assembly SHALL enable replacement of the weapon barrel and clearing of a round jam wi"
verification: Demonstration
sil: 2
SUB-REQ-048:
text: "The Fire Control Computer SHALL execute an automated boresight verification routine at system power-on and on operator d"
verification: Test
sil: 2
SUB-REQ-049:
text: "The Sensor Stabilisation Platform SHALL provide a two-axis gyrostabilised mount for the EOSA sensor head, maintaining re"
verification: Test
sil: 2
SUB-REQ-051:
text: "The Hardware Firing Interlock Relay SHALL use gold-alloy bifurcated contacts rated at minimum 10A continuous at 28VDC an"
verification: Test
sil: 3
SUB-REQ-052:
text: "The Fire Control Computer SHALL implement a hardware watchdog timer with a 100ms timeout that independently de-energises"
verification: Test
sil: 2
SUB-REQ-053:
text: "The Weapon Control Interface SHALL implement a fail-safe output stage such that loss of power, loss of communication fro"
verification: Test
sil: 2
SUB-REQ-059:
text: "The Ballistic Computation Module SHALL validate the integrity of all fire solution inputs (LRF range, target angular vel"
verification: Test
sil: 2
SUB-REQ-061:
text: "The Safety Interlock System SHALL operate across the ambient temperature range -40°C to +70°C and SHALL maintain its SIL"
verification: Test
sil: 3
SUB-REQ-062:
text: "The Hardware Firing Interlock Relay SHALL be a hermetically sealed relay rated to operate across the temperature range -"
verification: Test
sil: 3
SUB-REQ-063:
text: "The Fire Control System SHALL provide stabilisation compensation to the ballistic solution such that first-round hit pro"
verification: Test
sil: 2
SUB-REQ-064:
text: "The Turret Drive Assembly SHALL provide continuous 360° azimuth traverse and -20° to +60° elevation coverage, with slew "
verification: Test
sil: 2
SUB-REQ-065:
text: "While in Degraded Operation mode with the thermal imager inactive, the Electro-Optical Sensor Assembly SHALL maintain a "
verification: Test
sil: 2
SUB-REQ-067:
text: "The Fire Control System SHALL execute an automated boresight verification sequence upon entry into Operational mode from"
verification: Test
sil: 2
SUB-REQ-068:
text: "The Safety Interlock System's Dual-Channel Safety Controller SHALL be packaged as a dedicated sealed LRU conforming to S"
verification: Inspection
sil: 3
SUB-REQ-073:
text: "When the Fire Control Computer detects an internal processing fault, the Fire Control System SHALL inhibit weapon firing"
verification: Test
sil: 2
SUB-REQ-074:
text: "The Weapon Control Interface SHALL implement a hardware-enforced dual-confirmation logic where both the operator fire co"
verification: Test
sil: 2
SUB-REQ-075:
text: "When the Target Tracking Processor loses target track for more than 500ms, the Fire Control System SHALL automatically d"
verification: Test
sil: 2
SUB-REQ-076:
text: "The Ballistic Computation Module SHALL accept firing table and meteorological data updates only from authenticated, cryp"
verification: Test
sil: 2
SUB-REQ-077:
text: "The Power Distribution Unit SHALL implement independent fused circuit branches for safety-critical loads (firing interlo"
verification: Test
sil: 3
SUB-REQ-078:
text: "When the primary (optical) imaging channel fails, the Electro-Optical Sensor Assembly SHALL continue providing thermal i"
verification: Demonstration
sil: 2
SUB-REQ-079:
text: "The Fire Control System SHALL enforce that the operator explicitly acknowledges positive target identification (IFF stat"
verification: Inspection
sil: 2
SUB-REQ-083:
text: "When the Fire Control Computer hardware watchdog asserts a system reset, the Fire Control Computer SHALL complete a cont"
verification: Test
sil: 2
SYS-REQ-007:
text: "The Remote Weapon Station SHALL implement a two-action weapon arming sequence requiring explicit operator ARM command fo"
verification: Test
sil: 3
SYS-REQ-008:
text: "The Remote Weapon Station SHALL provide a hardware firing interlock independent of the fire control software that physic"
verification: Test
sil: 3
SYS-REQ-009:
text: "When the operator control link is lost, the Remote Weapon Station SHALL safe the weapon firing circuit and de-energise t"
verification: Test
sil: 2
SYS-REQ-010:
text: "When Emergency Stop is activated, the Remote Weapon Station SHALL de-energise all turret drive motors and engage mechani"
verification: Test
sil: 2
VER-REQ-002:
text: "Verify SUB-REQ-002: Inject arming command sequences in SIS test harness. Test cases: (a) key only — expect ARMED state N"
verification: Test
sil: 3
VER-REQ-003:
text: "Verify SUB-REQ-005: Simulate data link heartbeat dropout at SIS bench test harness. Inject heartbeat at 10Hz, then drop "
verification: Test
sil: 2
VER-REQ-004:
text: "Verify SUB-REQ-008: Inject simulated faults into SIS test harness (channel mismatch, diagnostic monitor trip, output fee"
verification: Test
sil: 3
VER-REQ-005:
text: "Verify IFC-REQ-011: Connect Arming Key Switch Assembly to SIS test harness. Rotate key through all 3 positions (SAFE, AR"
verification: Test
sil: 3
VER-REQ-006:
text: "Verify IFC-REQ-013: Apply 24VDC energise command from SIS test harness to Hardware Firing Interlock Relay. Test AND-gate"
verification: Test
sil: 3
VER-REQ-007:
text: "The Hardware Firing Interlock Relay shall be verified to be a normally-open fail-safe relay by de-energising the coil an"
verification: Test
sil: 3
VER-REQ-008:
text: "The Hardware Firing Interlock Relay shall be verified to de-energise and open the firing solenoid circuit within 10ms of"
verification: Test
sil: 3
VER-REQ-009:
text: "The Safe State Output Driver shall be verified to de-energise all actuator outputs and assert the SSOD-SAFE status signa"
verification: Test
sil: 2
VER-REQ-010:
text: "While the Arming Key Switch Assembly is in MAINTENANCE-LOCKOUT position, the Safety Interlock System shall be verified t"
verification: Inspection
sil: 3
VER-REQ-011:
text: "The Safety Interlock System shall be verified to operate correctly from supply voltages across the 22–32VDC nominal rang"
verification: Test
sil: 3
VER-REQ-012:
text: "The interface between the Safety Interlock System and the Weapon and Ammunition Handling Assembly shall be verified by i"
verification: Test
sil: 3
VER-REQ-013:
text: "The interface between the Safety Interlock System and the Turret Drive Assembly shall be verified by injecting a drive c"
verification: Test
sil: 2
VER-REQ-016:
text: "Verify SUB-REQ-017: With FCS in ARMED state and firing sequence active, assert SIS SAFE_STATE signal via hardware inject"
verification: Test
sil: 2
VER-REQ-018:
text: "Verify IFC-REQ-018: Connect Barrel Change Mechanism barrel retention sensor to SIS test harness. Test barrel locked (0V)"
verification: Test
sil: 2
VER-REQ-020:
text: "Verify SUB-REQ-022: Mount production Weapon Cradle and Mount on structural test rig. Apply 25kN static load at weapon re"
verification: Test
sil: 2
VER-REQ-021:
text: "Verify IFC-REQ-021: Connect FCC to TDC over production PCIe interface. Inject 50Hz aiming demand stream from FCC simulat"
verification: Test
sil: 2
VER-REQ-022:
text: "Verify IFC-REQ-023: Connect EOSA to FCC integration bench. Stream simultaneous thermal and daylight channels at 50Hz. Me"
verification: Test
sil: 2
VER-REQ-025:
text: "Verify IFC-REQ-028: Apply controlled load shedding to all non-SIS subsystem branches simultaneously; measure SIS supply "
verification: Test
sil: 3
VER-REQ-036:
text: "Verify SUB-REQ-052: supplementary verification covering WCI SAFE state transition. On FCC hardware, confirm that watchdo"
verification: Test
sil: 2
VER-REQ-038:
text: "Verify SUB-REQ-042: Apply 22V, 28V, and 32VDC to DCSC power input; verify DCSC remains in safe-state-ready condition and"
verification: Test
sil: 3
VER-REQ-039:
text: "Verify SUB-REQ-043: Apply 18V, 24V, and 30VDC to HFIR coil; measure coil current, operate time, and release time using o"
verification: Test
sil: 3
VER-REQ-051:
text: "Verify : Inject 1000 valid fire solution input frames on BCM test bench; then inject 100 frames with corrupted CRC. Veri"
verification: Test
sil: 2
VER-REQ-052:
text: "Verify SUB-REQ-050: Subject FCS LRU to MIL-STD-810H Method 507.6 (Humidity) and Method 514.8 (Vibration) test profiles. "
verification: Test
sil: 2
VER-REQ-053:
text: "Verify SUB-REQ-051: Mount HFIR sample on MIL-STD-202 salt-spray test rig; expose for 1000 hours per Method 101. Then act"
verification: Test
sil: 3
VER-REQ-057:
text: "Verify SUB-REQ-061: Subject SIS Dual-Channel Safety Controller to MIL-STD-810H Method 501.7 (High Temperature, +70°C) an"
verification: Test
sil: 3
VER-REQ-058:
text: "Verify SUB-REQ-062: Obtain MIL-PRF-39016 qualification test report for selected relay component. Measure contact resista"
verification: Inspection
sil: 3
VER-REQ-059:
text: "Verify SUB-REQ-014: Mount a calibrated thermal target (0.5K IR contrast delta-T above background) at 1000m in controlled"
verification: Test
sil: 2
VER-REQ-060:
text: "Verify SUB-REQ-018: Disable the thermal imaging channel in the FCS software and command engagement of a 2m x 2m visual c"
verification: Test
sil: 2
VER-REQ-062:
text: "Verify SUB-REQ-023: Mount the weapon system on a force measurement platform with calibrated load cells on the mounting i"
verification: Test
sil: 2
VER-REQ-067:
text: "Verify SUB-REQ-011: Apply 20V, 28V, and 32VDC to the FCS power input using a programmable supply. Verify fire control pr"
verification: Test
sil: 2
VER-REQ-068:
text: "Verify SUB-REQ-016: Inject a FIRE command from FCS simulator to Weapon Control Interface (WCI) using a calibrated signal"
verification: Test
sil: 2
VER-REQ-069:
text: "Verify SUB-REQ-063: Mount instrumented weapon system to vehicle test rig moving at 15 km/h on representative terrain; co"
verification: Test
sil: 2
VER-REQ-070:
text: "Verify SUB-REQ-064: Command TDA through full 360 degree azimuth sweep and -20 to +60 degree elevation sweep at rated sle"
verification: Test
sil: 2
VER-REQ-073:
text: "Verify SUB-REQ-068: Inspect Dual-Channel Safety Controller LRU against approved mechanical drawing. Confirm separate PCB"
verification: Inspection
sil: 3
VER-REQ-083:
text: "Verify IFC-REQ-012: Actuate E-stop while system is in Operational mode. Measure time from E-stop actuation to de-energis"
verification: Test
sil: 3
VER-REQ-084:
text: "Verify IFC-REQ-014: Inject a simulated SIS fault condition. Measure the signal timing on the DCSC-to-SSOD separate drive"
verification: Test
sil: 3
VER-REQ-088:
text: "Verify SUB-REQ-025: With barrel retention sensor set to UNLOCKED state via test fixture, command fire. Confirm firing ci"
verification: Test
sil: 2
VER-REQ-098:
text: "Verify SUB-REQ-073: Inject a synthetic processing fault signal into the Fire Control Computer test interface while weapo"
verification: Test
sil: 2
VER-REQ-099:
text: "Verify SUB-REQ-074: With weapon in fire-ready state, apply fire command alone (no safety controller agree) and confirm f"
verification: Test
sil: 2
VER-REQ-103:
text: "Verify SUB-REQ-083: Power-cycle FCC three times using hardware watchdog timeout injection. Measure time from watchdog as"
verification: Test
sil: 2
VER-REQ-106:
text: "Verify SYS-REQ-010: With RWS on system integration test bench, weapon loaded and turret in motion at 30 deg/s azimuth, a"
verification: Test
sil: 2
VER-REQ-107:
text: "Verify SYS-REQ-009: On system integration bench with RWS in Engagement mode (weapon armed, turret active), interrupt the"
verification: Test
sil: 2
VER-REQ-108:
text: "Verify SYS-REQ-017: Submit complete RWS assembly to MIL-STD-461G (Requirements for the Control of Electromagnetic Interf"
verification: Test
sil: 3
VER-REQ-110:
text: "Verify SYS-REQ-012: Apply power to RWS after 4-hour cold soak at -46°C. Measure time from power application to either (a"
verification: Test
sil: 3
VER-REQ-111:
text: "Verify SYS-REQ-008: On fully integrated RWS with FCS in Engagement mode and weapon ARMED, force the FCS main processor i"
verification: Test
sil: 3
VER-REQ-112:
text: "Verify SUB-REQ-077: Configure PDU test harness with three safety-critical branch loads (firing interlock relay simulator"
verification: Test
sil: 3
VER-REQ-113:
text: "Verify SUB-REQ-027: Connect SIS test harness to TDA servo controller. Establish normal azimuth slew at 30°/s. Command DR"
verification: Test
sil: 2
VER-REQ-114:
text: "Verify SUB-REQ-075: With FCS in Engagement mode and active auto-track on a designated target, inject a simulated target "
verification: Test
sil: 2
VER-REQ-115:
text: "Verify SUB-REQ-047: With weapon system mounted to vehicle, weapon cleared and condition confirmed SAFE by SIS BIT. Provi"
verification: Demonstration
sil: 2
VER-REQ-116:
text: "Verify SUB-REQ-076: On FCS test bench, attempt to load firing table data via the BCM update interface using: (a) a valid"
verification: Test
sil: 2