Remote Weapon Station (RWS)

Rationale: Integration test verifying the physical radio interface meets BMS throughput requirements before field deployment.

Rationale: 1oo2D redundancy cannot be fully verified by test alone — the statistical reliability claim requires analytical demonstration using FMEDA (Failure Modes, Effects, and Diagnostic Analysis). Pass criteria require a 2x margin to account for environmental derating and manufacturing variation.

Rationale: Combinatorial testing of the two-action sequence covers the four possible input combinations and the timeout path. 100 trials per case provides statistical confidence at the level appropriate for a SIL 3 function. Oscilloscope measurement verifies the 2-second window is accurately implemented.

Rationale: Temperature range testing is required because watchdog timer accuracy can drift with temperature in hardware implementations. 50 trials per temperature point is the minimum to detect systematic failures. Oscilloscope measurement provides millisecond-accurate timing independent of any logging latency.

Rationale: Fault injection testing at component level is required by IEC 61508 to verify the diagnostic response chain. Testing the latch behaviour independently (not relying on the system's own logging) eliminates the risk that a software fault could falsely indicate a successful reset.

Rationale: Direct measurement at controller terminals (not at key switch) verifies the full wiring harness including connectors. Open/short fault testing validates the 100Hz continuity monitoring function that supports the fault-safe-state budget.

Rationale: AND-gate functional test is required to prove the dual-channel firing barrier. Relay weld testing addresses the critical failure mode that could defeat the firing barrier without detection.

Rationale: SUB-REQ-003 specifies a normally-open fail-safe relay as a SIL 3 hardware safety measure. Physical verification by circuit-open measurement confirms the fail-safe state is achieved without software intervention. The 20ms criterion matches the SIS de-energise budget.

Rationale: SUB-REQ-004 specifies 10ms de-energise time as the SIL 3 hardware safety timing budget. Testing under worst-case inductive load and temperature extremes confirms the relay meets the budget in all operational conditions, which is required for the overall SIS response time chain.

Rationale: SUB-REQ-006 specifies 50ms SSOD response as the intermediate timing budget within the 200ms E-stop chain required by SYS-REQ-010. Individual channel measurement catches partial-failure modes where one output de-energises but another does not, which is critical for 1oo2D SIS architecture.

Rationale: SUB-REQ-007 requires a physical lockout that cannot be overridden by software — the inspection method with physical key insertion confirms the hardwired nature of the lockout. Software injection of fire and drive commands while the key is inserted is the only way to confirm software cannot override the physical interlock.

Rationale: SUB-REQ-009 specifies 22–32VDC operating range reflecting MIL-STD-1275 (Characteristics of 28-Volt DC Electrical Systems in Military Vehicles) voltage tolerance for vehicle power buses. Testing the full range confirms the SIS does not have a latent voltage-induced failure mode that could cause spurious safe-state assertion or inhibit safe-state activation.

Rationale: IFC-REQ-009 defines the last physical gate before ammunition discharge. End-to-end interface testing from SIS enable logic to WAHA-FIRE-ENABLE signal confirms the hardware firing path matches the SIS design. The 15ms de-assertion timing test detects wiring faults or relay contact welding that would prevent safe-state from inhibiting fire.

Rationale: IFC-REQ-010 specifies a hardwired drive inhibit as a backup to the E-stop brake engagement. Verifying zero motion under commanded drive with inhibit asserted confirms the hardwired path is not software-bypassable, which is essential for the SIL 2 uncommanded turret motion hazard mitigation.

Rationale: HIL test using production FCC hardware with TTP simulator validates control loop timing under realistic software load. 1000-cycle sample provides statistical confidence on timing conformance.

Rationale: BCM latency directly affects hit probability (SYS-REQ-001). Test across three ammunition profiles confirms the ballistic model runtime is within budget for all supported munition types.

Rationale: Safety verification for H-003 mitigation. Hardware injection test required at SIL 2 to confirm the software-level safing is not bypassed by race conditions or interrupt latency. The 1ms CEASE latency is tighter than the 5ms activation latency in SUB-REQ-016 because the safing path is interrupt-driven.

Rationale: Integration test verifying PCIe latency budget for the TTP–FCC interface. 10,000-frame sample detects intermittent latency spikes that a short test would miss. Frame rate tolerance ±0.5Hz ensures the FCC control loop is not rate-starved by PCIe scheduling jitter.

Rationale: Direct measurement at SIS input terminals verifies the full wiring path. Open/short fault testing confirms active-low fail-safe convention is correctly implemented — an open circuit must not be interpreted as barrel-locked.

Rationale: Integration test at bench level using production AMA and FCC hardware. Rate tolerance testing confirms 1553B scheduling does not cause message dropout. Three load levels verify sensor accuracy across the full range, not just at nominal.

Rationale: Static and fatigue testing under worst-case load conditions confirms structural and alignment requirements simultaneously. 500 cycles represents approximately 10 barrel lives of burst fire and is the acceptance criterion for structural fatigue.

Rationale: Integration test of the FCC-TDC interface under production hardware conditions. Temperature testing confirms PCIe driver timing is not affected by thermal derating. 10,000-packet sample detects latency spikes that a short test would not reveal.

Rationale: Integration bench test using production EOSA and FCC hardware verifies the dual-channel video interface under realistic conditions. Frame synchronisation test confirms the day and thermal channels can be correlated by the FCS target tracker.

Rationale: Integration test verifying GPS data distribution to FCS meets timing accuracy required for ballistic computation.

Rationale: Safety function requires uninterrupted supply; test confirms the always-on SIS branch is electrically independent from load-shedded branches.

Rationale: SSPC fault isolation time is critical to prevent safety-critical subsystem power interruption during fault conditions.

Rationale: Hardware-in-the-loop test at the FCC-BCM PCIe interface is the only way to verify sub-20ms latency under realistic computational load; simulation cannot confirm PCIe scheduling jitter.

Rationale: The 1ms end-to-end command latency is the hardware interlock response budget—only physical bench test with production RS-422 hardware can confirm actual propagation and interrupt service timing.

Rationale: Belt tension limits are mechanically derived from feed mechanism geometry across the traverse envelope; only physical integration testing can validate tension variation due to gravity, belt weight, and cable routing at the limit positions.

Rationale: Slip ring contact degradation is a wear-out failure mode unique to rotating machinery; only endurance testing through the rated 50,000-rotation life can confirm resistance and attenuation compliance at end-of-life, which simulation cannot predict.

Rationale: The 5ms latency budget is derived from the engagement timeline—operator reaction time is the gating factor. Only integrated test under concurrent video load confirms latency is not crowded out by video bandwidth on the shared 100BASE-TX link.

Rationale: Watchdog hardware timeout is a SIL-2 safety function; software simulation cannot verify the hardware timer fires and the WCI responds within the 100ms budget under actual hardware scheduling and interrupt latency.

Rationale: MIL-STD-1275E operating range and surge current limits protect FCC against vehicle electrical transients; bench test across the full voltage range with surge measurement is required to confirm the power supply design margin before environmental qualification.

Rationale: SIL-3 component power verification requires physical test across MIL-STD-1275E range to confirm no false safe-state assertions from voltage transients—analysis alone is insufficient for SIL-3.

Rationale: Relay operate and release times at voltage extremes determine whether the interlock de-energises before a complete burst cycle—physical test is required since relay timing varies with coil voltage and contact wear.

Rationale: Integration test confirming the elevation axis meets both the angular range and rate requirements of SYS-REQ-003, under load conditions representative of the heaviest qualified weapon.

Rationale: Motion simulator test replicates actual vehicle dynamics while enabling precision LOS measurement against a fixed reference, which cannot be achieved in field conditions. 120-second duration captures multiple stabilisation transients.

Rationale: Power-cycle repetition tests routine reliability across start-up states. Deliberate misalignment injection directly validates the 1.0 mrad inhibit threshold required by SUB-REQ-048.

Rationale: Demonstration testing to MIL-HDBK-781A is the accepted method for reliability compliance claims. FMEA supplements test data where sample size is insufficient for statistical significance at 80% confidence.

Rationale: Direct hardware test of the watchdog timeout boundary at operating temperature extremes. The ±5ms tolerance accommodates crystal oscillator drift without invalidating the safety margin. Temperature extremes verify the RC timing network used in watchdog hardware is within tolerance across the vehicle thermal envelope.

Rationale: Oscilloscope measurement directly validates the fail-safe timing requirement. Testing across 22-32VDC supply range verifies the output driver and relay operate within spec at vehicle battery voltage extremes. 20 trials provide statistical confidence that the result is not a timing anomaly.

Rationale: Physical embodiment requirements for LRUs are verified by inspection against the as-built hardware; dimensional and mass compliance cannot be assured by analysis alone for procurement and acceptance.

Rationale: Timing compliance for link-loss detection is safety-critical (feeds the 500ms SYS-REQ-009 budget) and must be verified by hardware-in-the-loop test to account for real bus latency and gateway processing time.

Rationale: Annunciation latency and content must be verified end-to-end with a realistic fault injection on an integrated test bench, as display timing depends on the OCU CPU processing pipeline and display update rate.

Rationale: Stabilisation accuracy under vehicle motion is a safety-relevant performance parameter that cannot be verified by analysis — hardware-in-the-loop testing on a motion simulator is the only method that exercises the actual closed-loop dynamics of the TDC with real sensor and actuator characteristics.

Rationale: End-to-end test at BCM input validates both the integrity check logic and the fault reporting path. Using 100 corrupt injections ensures statistical coverage across CRC bit-error patterns.

Rationale: Environmental qualification by physical test is the only method that validates hermetic seal integrity and structural robustness under representative vehicle-mounted vibration. Analysis cannot substitute for physical exposure at this qualification stage.

Rationale: Contact resistance degradation under salt spray and mechanical cycling cannot be predicted analytically for electromechanical relays in defence environments; physical endurance testing per MIL-STD-202 is required for SIL-3 hardware qualification.

Rationale: SSPC fault isolation must be verified under representative load conditions; analytical models of trip behaviour cannot account for PCB parasitics and component tolerance stacking. Test directly confirms the 1ms isolation criterion that protects safety-critical loads.

Rationale: IP67 sealing and temperature range for the TDA drive mechanism must be verified by test because seal integrity under thermal cycling and water pressure cannot be confirmed by analysis of bearing datasheets alone.

Rationale: IEC 61508 SIL 3 requires the safety function to be verified under all operational conditions including temperature extremes. Test at -40°C and +70°C is the only method to confirm relay contact resistance and diagnostic monitor thresholds remain within SIL 3 PFD budget under thermal stress.

Rationale: MIL-PRF-39016 qualification test report provides established reliability screening data required for SIL 3 PFD calculation. Contact resistance verification across temperature range confirms the relay remains within the firing circuit voltage budget at thermal extremes.

Rationale: Auto-track accuracy on minimum-contrast targets defines the boundary condition for engagement probability in degraded IR conditions. Only physical test against a calibrated thermal target replicates the actual signal-to-noise environment; analysis cannot validate the IR image processing algorithms against real scene clutter.

Rationale: Degraded mode operation with failed thermal channel is a ConOps scenario where the day camera provides the only targeting solution. SIL-2 classification requires that the degraded mode be verified to maintain a safe engagement capability without creating new hazards such as missed mode transition annunciation.

Rationale: BIT is the primary mechanism for detecting latent failures in safety-interlocked functions before engagement. The 30-second BIT duration is a ConOps constraint — operators require system readiness within that window from cold start. Fault injection testing verifies that BIT fault codes are accurate and not masked.

Rationale: Recoil force transmitted to the turret ring and vehicle interface is a safety requirement — 5 kN is the structural design limit of the mounting interface per the vehicle integration specification. Analysis alone cannot validate the non-linear compliance of the hydraulic buffer under dynamic firing conditions; physical test is required to confirm the damping characteristic against the actual weapon system impulse.

Rationale: 360-degree continuous traverse without a hard stop is a defining capability of the RWS that distinguishes it from limited-traverse systems. SYS-REQ-003 requires 60 deg/s minimum; any reduction below this prevents engagement of fast-moving targets. The slip ring assembly that enables unlimited traverse must be verified not to introduce binding or electrical dropout that would interrupt the azimuth control loop.

Rationale: MIL-STD-6016 (STANAG 5516) compatibility is a NATO interoperability requirement that cannot be verified by inspection of the implementation alone; only protocol-level test with a conformant BMS simulator confirms proper message encoding, timing, and format compliance. The 1 Hz minimum rate is the SYS-REQ-013 threshold derived from BMS track refresh rate requirements.

Rationale: MIL-STD-1275E (Characteristics of 28-Volt DC Electrical Systems in Military Vehicles) defines the vehicle bus voltage transient environment. Verification across the full 20-32V operating range is required to confirm that TDA servo control does not fail at voltage extremes that occur during vehicle engine start or high-current switching events.

Rationale: 15-minute barrel change is a SYS-REQ-015 maintainability requirement driven by the tactical need to restore fire capability within the window of a brief operational pause. Demonstration by a single trained maintainer under realistic conditions (hot barrel, PPE, time pressure) validates the procedure is feasible as designed, not just theoretically achievable.

Rationale: FCS contains the SIL-2 fire control processor and the Weapon Control Interface which must remain functional across the MIL-STD-1275E vehicle bus operating range. A voltage-induced reset of the fire control processor during a firing sequence is a hazardous event that could produce an unintended burst.

Rationale: Trigger actuation latency is the direct cause of muzzle timing error at slew rates up to 40°/s; a 5ms error at 40°/s elevation rate produces 0.03° muzzle deflection, degrading first-round hit probability below the SYS-REQ-001 threshold of P_h ≥ 0.7. Functional test at three supply voltage points verifies compliance under MIL-STD-1275E operating range extremes.

Rationale: Statistical confidence on P_h ≥ 0.70 requires minimum 35 hits in 50 shots (95% CI lower bound ~0.64). Dynamic platform test is mandatory because bench-static boresight testing cannot exercise the stabilisation compensation path.

Rationale: The TDA kinematic envelope under worst-case load is only verifiable by physical test with applied ice mass; analysis alone cannot account for bearing friction variation under frozen lubricant conditions.

Rationale: BMS data link throughput and video delivery rate are integration-testable requirements that cannot be verified by inspection or analysis.

Rationale: Automated boresight verification is a time-critical function for operational readiness; the 5-minute constraint cannot be verified by design review alone.

Rationale: Physical separation of dual-channel safety-critical hardware is a SIL 3 architectural requirement that must be verified by inspection; it cannot be tested by functional means alone.

Rationale: The 5-second degraded-mode switchover is a safety-relevant performance constraint that must be verified under live fault injection; the switchover logic cannot be validated by analysis alone.

Rationale: NATO STANAG 4569 turret ring compliance is a hard physical interface constraint; only inspection against the approved drawing can confirm conformance of the manufactured part.

Rationale: MIL-STD-1275E (Characteristics of 28 Volt DC Electrical Systems in Military Vehicles) compliance requires live testing across the full operating range; datasheet analysis alone cannot verify system-level behaviour at voltage extremes.

Rationale: CAN bus message exchange is a functional requirement that must be tested with live traffic at the interface; the message set and timing are not verifiable by inspection of wiring alone.

Rationale: GNSS data ingestion timing directly affects ballistic solution accuracy; the end-to-end latency from navigation input to fire solution update cannot be derived by analysis of component specs alone and requires integration test.

Rationale: STANAG 4090 (Ammunition Link Design Requirements) ammunition interface compliance requires live feed testing; link engagement geometry cannot be verified by dimensional inspection alone because dynamic forces during feeding affect compatibility.

Rationale: MIL-STD-6016 (Tactical Digital Information Link - TADIL J) interoperability must be confirmed against an external receiver; link budget and encoding are not verifiable by analysis of the transmitter specification alone.

Rationale: Video throughput and latency across the EOSA-FCS interface determines tracking loop bandwidth; compliance cannot be verified by datasheet analysis because it depends on the physical link implementation.

Rationale: The FCS-TDA servo loop timing is a performance-critical interface; 100Hz demand rate and the resulting pointing accuracy cannot be confirmed without measuring the actual interface signals under closed-loop conditions.

Rationale: The E-stop to DCSC interface is a SIL 3 safety function per IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems); response time and dual-channel routing must be verified by live fault injection and wiring inspection, not analysis.

Rationale: Dual-channel independence on the DCSC-to-SSOD interface is a SIL 3 architectural requirement; independence must be confirmed under fault injection because it cannot be verified by inspection of the schematic alone.

Rationale: The VCNIM-TDL Processor interface carries high-bandwidth compressed video; actual throughput depends on network implementation and cannot be inferred from link specification alone.

Rationale: PMCU-to-FCC telemetry latency determines how quickly the FCS can respond to power fault conditions; compliance requires live power fault injection to verify end-to-end detection and response timing.

Rationale: Weapon pointing accuracy under vehicle motion is the primary driver of first-round hit probability (SYS-REQ-001); the 0.1 mrad RMS threshold requires stabilisation loop validation under dynamic excitation, which analysis of the servo specification cannot substitute.

Rationale: The barrel retention interlock is a safety function; IEC 61508 SIL-2 requires functional verification by deliberate fault injection to confirm the interlock prevents firing with an unlocked barrel.

Rationale: TI camera IFOV determines target detection range performance; actual IFOV is a function of the detector array and optics that must be measured on the delivered unit, not inferred from the optical design specification.

Rationale: LRF range accuracy is critical to ballistic solution quality (SUB-REQ-015); the ±5m specification must be measured against calibrated range targets because laser pulse timing drift cannot be assessed from component datasheets alone.

Rationale: Operator display latency directly affects target tracking reaction time; the latency limit is derived from human factors analysis and must be validated under live video streaming conditions.

Rationale: PDU input range compliance ensures the system operates correctly across vehicle electrical bus excursions per MIL-STD-1275E (Characteristics of 28 Volt DC Electrical Systems in Military Vehicles); end-to-end output compliance must be measured on the integrated unit.

Rationale: DC-DC converter output accuracy affects digital logic and analogue sensor circuits; ±2% tolerance must be verified under load variations because converter regulation worsens at extremes that datasheets may not fully characterise for the integrated thermal environment.

Rationale: Day camera resolution is the foundational sensor performance parameter for target identification and tracking; actual resolution depends on detector pixel pitch, optics quality, and focus, which must be measured on the delivered unit.

Rationale: Integration test verifying TTP output specification at the FCS internal interface. Test bench allows repeatable stimulus without live optics.

Rationale: Ballistic accuracy is safety-significant — incorrect fire solutions cause engagement failures and potential collateral effects. Test bench validation with reference trajectories allows pre-qualification before live firing.

Rationale: Authentication failure allows injection of false target data or fire commands — this is a safety-significant cybersecurity requirement. Test bench injection simulates adversarial network attack without live network exposure.

Rationale: Functional safety test for FCC fault response. Must demonstrate deterministic safe-state transition within the 100ms timing budget under fault injection conditions representative of worst-case processing failure.

Rationale: Combinatorial test of dual-confirmation logic must verify all four input combinations to demonstrate that the AND gate is correctly implemented in hardware, not only the positive case.

Rationale: ROE requirement must be verified both functionally (blocking behaviour) and as an audit trail (logging completeness). Inspection of the audit log is the only verifiable evidence of the ethical compliance obligation.

Rationale: Boresight verification must be tested at both sides of the 0.3 mrad threshold to confirm the measurement system resolution is adequate and the pass/fail criterion is correctly implemented, not merely that a result is displayed.

Rationale: Directly verifies the 10s recovery time bound and SAFE state maintenance defined in SUB-REQ-083 under hardware-injected fault conditions.

Rationale: Usability demonstration with naive operator provides a valid test of the two-actuation bound without familiarity bias, directly verifying the human factors requirement.

Rationale: SYS-REQ-018 is a performance acceptance criterion that directly drives field trials. Range verification must use a representative tactical scenario with human operator to confirm the full system (optics + stabilisation + display chain) meets the PID requirement, not just the sensor module in isolation.

Rationale: SYS-REQ-010 is the system-level 200ms E-STOP timing requirement addressing H-002 (uncommanded turret motion crushing personnel, SIL-2) and H-003 (failure to safe state, SIL-3). Sub-component tests VER-REQ-009 and VER-REQ-084 verify individual SSOD and SIS signal paths but do not demonstrate end-to-end system timing from operator input to full mechanical brake engagement. A system-level test with instrumented current probes is required to close the safety argument for H-002 and H-003 at the SYS requirement level.

Rationale: SYS-REQ-009 directly addresses H-006 (loss of operator control while weapon armed, SIL-2): the 500ms safe-state timing must be verified at system level because the chain spans three subsystems (OCU/gateway heartbeat watchdog, SIS DCSC, SSOD relay). VER-REQ-003 verifies SUB-REQ-005 watchdog timing only; no existing VER test demonstrates the full end-to-end 500ms chain including relay actuation at system level. The sporadic dropout case tests the hazard where EMI or connector vibration causes intermittent link loss — the system must not false-trigger while still responding to genuine link loss.

Rationale: SYS-REQ-017 is safety-relevant: H-001 and H-007 both cite EMI as a cause of uncommanded weapon discharge (SIL-3 hazard) and software state machine corruption. Performing RS103 susceptibility with weapon armed directly tests whether EMI can cause inadvertent firing — this is the key scenario not covered by any existing VER requirement. No VER entry for SYS-REQ-017 existed prior to this session. MIL-STD-461G (not just 461F) is the current applicable standard for ground military vehicles per DEF-STAN 59-411.

Rationale: SYS-REQ-002 (≤8s detection-to-fire) is a top-level system performance requirement derived from STK-REQ-001 (effective threat response in urban patrol). The 8s budget is decomposed across auto-tracker acquisition (SUB-REQ-066, ≤3s), FCC solution latency (SUB-REQ-063, ≤200ms), and ARM sequence (SUB-REQ-002), but no system-level test validates the complete human-in-the-loop sequence time including OCU menu interactions. This test closes the scenario validation gap in the Urban Patrol Engagement ConOps scenario.

Rationale: SYS-REQ-012 is the gate between Initialization/BIT mode and Surveillance — a critical safety mode transition requirement. Failure to detect safety-critical faults during BIT allows the system to enter operational mode with unsafe hardware, directly enabling H-001, H-002, and H-003. The 90-second timing at -46°C is the worst-case temperature; no existing VER requirement verifies the BIT as a complete system sequence including fault detection sensitivity. The fault injection case is essential to validate that BIT has sufficient coverage to detect the failure modes it claims to catch.

Rationale: SYS-REQ-008 states the hardware firing interlock must be independent of fire control software — directly addressing H-001 (uncommanded discharge via electrical fault or software error, SIL-3) and H-007 (software fault causing fire via state machine corruption, SIL-3). The independence property cannot be verified by sub-component tests alone; it requires demonstrating that with FCS software in a known fault state, the hardware interlock still enforces safe-state. This is the key IEC 61508 (Functional safety of E/E/PE safety-related systems) architectural independence argument for SIL-3 at the system level.

Rationale: SUB-REQ-077 is SIL-3 rated because PDU branch failure that interrupts safety interlock or safety controller power directly enables H-001 (uncommanded discharge) and H-003 (failure to safe). The independence property must be verified at system level with real overcurrent injection — PCB-level inspection cannot confirm isolation under fault conditions. The test proves the branching architecture protects all safety-critical loads simultaneously.

Rationale: SUB-REQ-027 addresses H-002 (uncommanded turret motion, SIL-2): when the SIS determines a hazardous condition, the TDA must stop within 200ms to prevent personnel injury. The 200ms budget is safety-derived — turret inertia at 30°/s takes approximately 120ms to dissipate; the 200ms ceiling includes signal propagation and brake engagement. Testing at -40°C is required because lubricant viscosity affects brake engagement speed. The RESUME guard test verifies the SIS cannot be bypassed by the FCC.

Rationale: SUB-REQ-075 is SIL-2 because stale track data driving an active fire solution without operator awareness directly enables H-004 (friendly fire via sensor degradation). The 500ms threshold is chosen because track loss shorter than this is within normal target obscuration tolerance; beyond 500ms the track is operationally invalid and must not drive autonomous firing. The operator re-designation guard prevents the system from resuming engagement on a track whose validity was lost without operator confirmation.

Rationale: SUB-REQ-047 is SIL-2 because a weapon that cannot be brought to a safe confirmed state during maintenance (jam clearance timed out, barrel not seated correctly) creates a hazardous condition for the maintenance crew. Demonstration is appropriate because MTTR is a human factors metric that depends on tool set design and procedure quality; it must be demonstrated with qualified personnel under realistic field conditions, not simulated analytically.

Rationale: SUB-REQ-076 is SIL-2 because a corrupted or adversarially injected firing table could produce systematic ballistic errors enabling H-004 (friendly fire from target misidentification or erroneous fire solution). Authentication of firing table updates is a safety-critical data integrity control. The replay attack case (c) tests sequence-counter enforcement which prevents an adversary replaying a previously-valid but now-stale table.

Rationale: SUB-REQ-082 is a system-level degraded mode capability requirement derived from the Degraded Sensor Operation ConOps scenario (thermal crossover renders TI ineffective, crew must maintain mission capability on day camera). Demonstration is appropriate because the 800m engagement range under degraded conditions depends on the integrated sensor/FCS/human performance chain. No subsystem test verifies this end-to-end capability — it requires the full system with a qualified crew.

Rationale: SUB-REQ-078 requires the EOSA to continue providing thermal imaging data with no more than 2s transition latency when the optical channel fails. Identified as unverified during validation session 638. Demonstration required because failover involves sensor hardware, FCC processing, and operator display chain.

Rationale: SUB-REQ-012 specifies EOSA 28VDC power input with 20-32V operating range. Boundary testing at min/max voltage ensures sensors maintain performance under vehicle power bus variation.

Rationale: SUB-REQ-031 requires EOSA to provide day-channel continuity when TI fails. This is the inverse of SUB-REQ-078 (optical failure → TI continuity). Both failover paths must be demonstrated to confirm SYS-REQ-011 degraded operation.

Rationale: SUB-REQ-033 specifies GHC command output rate for operator control responsiveness. Untested GHC output could introduce control latency affecting engagement timelines (SYS-REQ-002).

Rationale: SUB-REQ-035 specifies VCNIM compression performance for video distribution to BMS and tactical data link. Insufficient compression or excess latency would degrade remote situational awareness (SYS-REQ-013).

Rationale: SUB-REQ-036 specifies the gateway's CAN/serial bridging function. Incorrect republishing would corrupt sensor data or control commands between subsystems (SYS-REQ-013, IFC-REQ-027).

Rationale: SUB-REQ-037 specifies EMC filter performance to meet SYS-REQ-017 MIL-STD-461G compliance. Without verification, conducted emissions could interfere with vehicle electronics or fail platform EMC certification.

Rationale: SUB-REQ-041 specifies PMCU monitoring accuracy for health monitoring and fault detection. Inaccurate power monitoring could mask overload conditions or trigger false fault alarms (IFC-REQ-029).

Rationale: SUB-REQ-072 specifies TDLP power input range from the vehicle DC bus. Power boundary verification ensures tactical data link availability under vehicle electrical transients — critical for remote engagement authorisation.

Rationale: SUB-REQ-080 specifies MIL-STD-6016E compliance for tactical data exchange. Interoperability testing is essential — non-compliant message formatting would prevent integration with allied C2 systems.