System Decomposition Report — Generated 2026-03-27 — UHT Journal / universalhex.org
This report was generated autonomously by the UHT Journal systems engineering loop. An AI agent decomposed the system into subsystems and components, classified each using the Universal Hex Taxonomy (a 32-bit ontological classification system), generated traced requirements in AIRGen, and built architecture diagrams — all without human intervention.
Every component and subsystem is assigned an 8-character hex code representing its ontological profile across 32 binary traits organised in four layers: Physical (bits 1–8), Functional (9–16), Abstract (17–24), and Social (25–32). These codes enable cross-domain comparison — components from unrelated systems that share a hex code or high Jaccard similarity are ontological twins, meaning they occupy the same structural niche despite belonging to different domains.
Duplicate hex codes are informative, not errors. When two components share the same code, it means UHT classifies them as the same kind of thing — they have identical trait profiles. This reveals architectural patterns: for example, a fire control computer and a sensor fusion engine may share the same hex because both are powered, synthetic, signal-processing, state-transforming, system-essential components. The duplication signals that requirements, interfaces, and verification approaches from one may transfer to the other.
Requirements follow the EARS pattern (Easy Approach to Requirements Syntax) and are traced through a derivation chain: Stakeholder Needs (STK) → System Requirements (SYS) → Subsystem Requirements (SUB) / Interface Requirements (IFC) → Verification Plan (VER). The traceability matrices at the end of this report show every link in that chain.
| Standard | Title |
|---|---|
| IEC 61508 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| SOLAS | — |
| SOLAS LSA Code requirements for EPIRBs and accounts for worst | — |
| Acronym | Expansion |
|---|---|
| ARC | Architecture Decisions |
| CCCS | Completeness, Consistency, Correctness, Stability |
| EARS | Easy Approach to Requirements Syntax |
| IFC | Interface Requirements |
| STK | Stakeholder Requirements |
| SUB | Subsystem Requirements |
| SYS | System Requirements |
| UHT | Universal Hex Taxonomy |
| VER | Verification Plan |
flowchart TB n0["system<br>Autonomous Underwater Vehicle"] n1["actor<br>Mission Control Station"] n2["actor<br>Surface Support Vessel"] n3["actor<br>USBL Tracking System"] n4["actor<br>Ocean Environment"] n5["actor<br>Launch and Recovery System"] n6["actor<br>Satellite Network"] n0 -->|Mission plans, telemetry, sensor data| n1 n2 -->|USBL fixes, acoustic commands| n0 n3 -->|Position fixes via acoustic ranging| n0 n4 -->|Pressure, temperature, currents| n0 n5 -->|Physical launch/recovery, charging| n0 n0 -->|Position reports via Iridium SBD| n6
AUV — System Context
flowchart TB n0["system<br>Autonomous Underwater Vehicle"] n1["subsystem<br>Navigation and Guidance"] n2["subsystem<br>Propulsion"] n3["subsystem<br>Power"] n4["subsystem<br>Sensor Payload"] n5["subsystem<br>Communications"] n6["subsystem<br>Vehicle Management Computer"] n7["subsystem<br>Pressure Hull and Structure"] n8["subsystem<br>Emergency and Safety"]
AUV — Subsystem Decomposition
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| STK-OPS-001 | The Autonomous Underwater Vehicle SHALL execute pre-programmed survey missions autonomously for a minimum of 24 hours without operator intervention. Rationale: Deep-sea survey operations require extended autonomous operation because acoustic communication bandwidth (1kbps) is insufficient for real-time piloting, and surface vessel time is the primary cost driver at £25k/day. 24-hour minimum enables single-dive coverage of typical survey blocks (10km x 2km at 3 knots). | Demonstration | stakeholder, session-315 |
| STK-OPS-002 | The Autonomous Underwater Vehicle SHALL surface autonomously and activate recovery aids within 120 seconds of detecting any fault condition that could result in vehicle loss. Rationale: AUV replacement cost exceeds £2M and loss at 6000m depth makes recovery impractical. Autonomous surfacing is the primary loss-prevention mechanism. The 120-second threshold ensures the vehicle begins ascent before cascading faults can disable the emergency systems. This is the single most critical safety requirement for any untethered deep-sea vehicle. | Test | stakeholder, safety, session-315 |
| STK-OPS-003 | The Autonomous Underwater Vehicle SHALL collect and store georeferenced multibeam bathymetry, optical imagery, and oceanographic data at resolutions sufficient for peer-reviewed scientific publication. Rationale: Primary end users are marine scientists and hydrographic surveyors who require IHO S-44 Order 1 compliant bathymetry and georeferenced imagery for habitat mapping, infrastructure inspection, and geological survey. Data that cannot meet publication standards has no value — the entire mission cost is wasted. | Inspection | stakeholder, session-315 |
| STK-OPS-004 | The Autonomous Underwater Vehicle SHALL be deployable and recoverable from a standard oceanographic research vessel using a single A-frame crane without requiring hull modifications to the vessel. Rationale: AUVs operate from vessels of opportunity — research vessels, offshore supply vessels, and naval auxiliaries. Requiring specialised launch equipment limits operational availability and increases mobilisation costs. A-frame deployment with standard rigging is the industry baseline for vehicles under 500kg. | Demonstration | stakeholder, session-315 |
| STK-OPS-005 | The Autonomous Underwater Vehicle SHALL operate without emitting acoustic energy exceeding 180 dB re 1µPa at 1m in frequency bands below 1kHz during survey operations to minimise disturbance to marine mammals. Rationale: Operations in marine protected areas and environmentally sensitive sites require compliance with NOAA/NMFS acoustic exposure guidelines. Thruster noise and low-frequency sonar emissions are the primary contributors. Exceeding 180 dB SPL triggers marine mammal harassment thresholds under the US Marine Mammal Protection Act and equivalent EU regulations. | Test | stakeholder, environmental, session-315 |
| STK-OPS-007 | The Autonomous Underwater Vehicle SHALL be designed and documented in accordance with DNV-ST-0512 or equivalent marine classification society rules for autonomous and remotely operated submersible vehicles, including structural, electrical, and safety system requirements. Rationale: Marine classification society approval is required for operation in international waters and by most research institutions. DNV-ST-0512 is the primary standard for autonomous underwater vehicles. Without classification, the vehicle cannot be insured or deployed from most research vessels. | Inspection | stakeholder, regulatory, validation, session-321 |
| STK-OPS-008 | The Autonomous Underwater Vehicle SHALL support field-level maintenance including battery replacement, sensor module exchange, and hull seal inspection by a two-person technical team using standard hand tools within 4 hours, without requiring drydock facilities. Rationale: Research vessels operate on tight schedules with limited technical staff. AUV turnaround between missions must be achievable with the ship science party. Requiring specialist facilities or large teams for routine maintenance would severely limit operational availability during expedition cruises. | Demonstration | stakeholder, maintainability, validation, session-321 |
| STK-OPS-009 | The Autonomous Underwater Vehicle SHALL operate in seawater temperatures from minus 2 degrees Celsius to 35 degrees Celsius, survive deck storage temperatures from minus 20 degrees Celsius to 55 degrees Celsius, and withstand deployment in sea states up to Sea State 4 from a vessel A-frame. Rationale: The vehicle must operate in polar through tropical waters covering the full oceanographic temperature range. Deck storage on open vessels in Arctic or equatorial ports exposes the vehicle to extreme air temperatures. Sea State 4 is the practical limit for crane operations from typical research vessels and defines the minimum weather window for deployment and recovery. | Test | stakeholder, environmental, validation, session-321 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SYS-FUNC-001 | The AUV power subsystem SHALL provide a minimum usable energy capacity of 10kWh to support 24-hour missions at 3-knot cruise speed with all survey sensors active. Rationale: Power budget analysis: propulsion at 3 knots draws 400W, navigation sensors 80W, survey payload 150W, vehicle management 50W, comms 20W = 700W total. 24h × 700W = 16.8kWh gross, but with 15% abort reserve and 85% battery depth-of-discharge limit, the required installed capacity is approximately 10kWh usable from a 13kWh pack. | Test | system, performance, session-315 |
| SYS-FUNC-002 | The AUV navigation subsystem SHALL maintain position accuracy of less than 0.1% of distance travelled over a 24-hour mission without GPS or surface position fixes. Rationale: Survey data georeferencing requires knowing vehicle position to within the resolution of the multibeam sonar footprint. At 100m altitude, the multibeam footprint is approximately 1m. Over a 24h mission at 3 knots the vehicle travels ~130km, so 0.1% DTT gives 130m drift — acceptable with periodic DVL bottom-lock and INS aiding, and within post-processing correction capability using terrain-relative navigation. | Test | system, performance, session-315 |
| SYS-FUNC-003 | When a critical fault is detected, the emergency and safety subsystem SHALL initiate drop-weight release and positive-buoyancy ascent within 5 seconds of fault confirmation, independent of the vehicle management computer. Rationale: The 120-second surface-and-activate-beacon requirement from STK-OPS-002 includes ascent time plus beacon activation. From 6000m, passive buoyant ascent at approximately 1m/s takes 100 minutes — far exceeding 120s. The 5-second initiation requirement ensures no delay is added by the safety system itself. Independence from the VMC is essential because the VMC may be the failed component. | Test | system, safety, session-315 |
| SYS-FUNC-004 | The emergency and safety subsystem SHALL include a hardware watchdog timer that triggers emergency surfacing if the vehicle management computer heartbeat is absent for more than 60 seconds. Rationale: Software watchdogs can be defeated by the same fault that disables the VMC. A hardware watchdog on an independent microcontroller with its own power supply ensures that total VMC failure (hardware crash, power rail loss, software hang) always results in surfacing. The 60-second timeout allows for VMC reboot attempts while preventing extended uncontrolled descent. | Test | system, safety, session-315 |
| SYS-FUNC-005 | The sensor payload subsystem SHALL acquire multibeam bathymetry data at a minimum resolution of 0.5m across a 120-degree swath at 100m altitude, compliant with IHO S-44 Order 1 standards. Rationale: IHO S-44 Order 1 requires total horizontal uncertainty of 5m + 5% depth and vertical uncertainty of 0.5m at 95% confidence. At 100m altitude, a 400kHz multibeam with 120-degree swath covers approximately 200m width with 0.5m beam spacing. This resolution, combined with the 0.1% DTT navigation accuracy, satisfies the horizontal uncertainty budget for depths to 6000m. | Test | system, performance, session-315 |
| SYS-FUNC-006 | The sensor payload subsystem SHALL provide a minimum of 4TB non-volatile storage with sustained write throughput of 200MB/s to support simultaneous multibeam, side-scan, camera, and CTD data logging for 72-hour missions. Rationale: Data rate budget: multibeam at 50MB/s, side-scan at 30MB/s, 4K video at 100MB/s, CTD at 0.1MB/s = 180MB/s aggregate. 72h at 180MB/s = 46TB theoretical maximum, but with compression (4:1 typical for sonar) and duty-cycled camera operation, 4TB provides adequate capacity. 200MB/s write speed includes 10% margin over aggregate sensor rate. | Test | system, performance, session-315 |
| SYS-FUNC-007 | The pressure hull and structure SHALL constrain total vehicle dry mass to no more than 350kg and maximum dimension to 4.5m length to permit single-point crane lift from a standard oceanographic A-frame. Rationale: Standard oceanographic A-frames (e.g., on R/V class vessels) have a safe working load of 2-5 tonnes and a throat clearance of 3-5m. 350kg is well within the SWL including dynamic loading from sea state 4 conditions. The 4.5m length constraint ensures the vehicle fits within the A-frame width and can be handled on a working deck with standard rigging points. | Inspection | system, physical, session-315 |
| SYS-FUNC-008 | When surfaced, the communications subsystem SHALL transmit GPS-derived position via Iridium SBD at intervals no greater than 5 minutes and activate a xenon strobe visible at 2 nautical miles in darkness. Rationale: Post-mission or emergency surface recovery requires the support vessel to locate the AUV. Iridium SBD provides global coverage position reporting independent of vessel range. 5-minute interval balances power consumption against drift rate (surface currents typically 0.5-1 knot = 150-300m between reports). Xenon strobe at 2nm visibility is the COLREG standard for small vessel lights and enables visual acquisition in final approach. | Test | system, recovery, session-315 |
| SYS-FUNC-009 | While conducting survey operations, the AUV SHALL not produce radiated noise exceeding 130 dB re 1µPa at 1m in the 10Hz-1kHz band from propulsion, and the multibeam sonar SHALL operate above 100kHz. Rationale: Marine mammal hearing sensitivity peaks between 10Hz-1kHz for baleen whales. Propulsion noise at 130 dB SPL at source attenuates to below harassment threshold (120 dB RMS for continuous noise per NOAA guidelines) within 3m. Multibeam operation above 100kHz is outside the hearing range of most cetaceans (upper limit ~80kHz for most species). Combined, these constraints enable operations in marine protected areas without triggering permitting requirements. | Test | system, environmental, session-315 |
| SYS-FUNC-010 | The pressure hull and structure SHALL withstand continuous external hydrostatic pressure of 600 bar (equivalent to 6000m seawater depth) with a minimum safety factor of 1.5 on yield strength. Rationale: 6000m depth rating covers 97% of the ocean floor, enabling full-ocean-depth survey capability excluding only the hadal trenches. The 1.5 safety factor on yield for Ti-6Al-4V is consistent with DNV-GL rules for submersible pressure vessels and provides margin for material variability, cyclic fatigue from repeated dive profiles, and manufacturing tolerances on wall thickness. | Analysis | system, structural, session-315 |
| SYS-FUNC-011 | The AUV SHALL achieve a mean time between critical failures of at least 2000 operating hours, where a critical failure is defined as any failure requiring mission abort or emergency surfacing. Rationale: A 24-hour mission cycle with deployment costs exceeding 50000 USD per ship-day demands high reliability. 2000 hours MTBCF provides less than 1.2 percent probability of critical failure per mission, consistent with mature AUV platforms such as Kongsberg HUGIN and MBARI LRAUV. This value drives component selection, redundancy architecture, and screening requirements. | Analysis | system, reliability, validation, session-321 |
| SYS-FUNC-012 | The AUV SHALL execute a comprehensive pre-dive built-in test sequence verifying all safety-critical subsystems including emergency surfacing controller, leak detection, battery management, navigation sensors, and communications, and SHALL report pass/fail status to the operator within 120 seconds of test initiation. Rationale: Pre-dive checks are mandatory in all operational AUV programmes to prevent deploying a vehicle with latent faults. The 120-second budget reflects the practical constraint of launch windows from research vessels where deck time is limited. Every safety-critical subsystem must be exercised because a latent fault in the emergency system could lead to vehicle loss. | Test | system, bite, safety, validation, session-321 |
| SYS-FUNC-013 | All wetted materials and external surfaces of the AUV SHALL resist corrosion and galvanic degradation in seawater for a minimum service life of 10 years with scheduled maintenance, using compatible materials per MIL-STD-889 or equivalent galvanic compatibility standard. Rationale: Seawater is a highly aggressive electrolyte. Dissimilar metal junctions, particularly titanium hull to aluminium fittings or stainless steel fasteners, create galvanic cells that cause rapid corrosion. MIL-STD-889 provides the accepted galvanic compatibility guidance. A 10-year service life reflects typical AUV fleet investment horizons and drives material selection for hull, fasteners, connectors, and fairings. | Analysis | system, materials, corrosion, validation, session-321 |
| SYS-FUNC-014 | The AUV internal electronics SHALL not produce electromagnetic interference that degrades the performance of any onboard sensor below its specified accuracy, and all subsystems SHALL be immune to conducted and radiated emissions from the propulsion motor drive at switching frequencies up to 40 kHz. Rationale: The AUV houses sensitive acoustic receivers, magnetometers within the INS, and precision analogue front-ends for CTD in close proximity to a 250W BLDC motor drive switching at 20 kHz. Without EMC discipline, motor harmonics couple into sensor cables and degrade measurement quality. Internal EMC is the primary concern rather than external regulatory compliance since the vehicle operates far from other electronic systems. | Test | system, emc, validation, session-321 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-FUNC-001 | The Inertial Navigation Unit SHALL provide attitude measurement with drift rate not exceeding 0.1 degrees per hour and accelerometer bias stability not exceeding 10 microg, sampled at a minimum of 200 Hz across all six degrees of freedom. Rationale: At 3-knot cruise speed over 24 hours, INS alone accumulates approximately 1.3km drift per degree-per-hour of gyro bias. 0.1 deg/hr limits unbounded INS drift to 130m, within the DVL re-acquisition envelope. The 200Hz rate is required for the EKF to maintain attitude stability during vehicle manoeuvring. | Test | subsystem, navigation, session-316, idempotency:sub-nav-ins-performance-316 |
| SUB-FUNC-002 | The Doppler Velocity Log SHALL measure ground-referenced velocity with accuracy of 0.3 percent of speed or better at altitudes from 1m to 200m above seafloor, outputting 3-axis velocity and altitude at a minimum of 5 Hz. Rationale: 0.3% velocity accuracy at 3 knots (1.5 m/s) yields 4.5 mm/s error, bounding INS position drift to approximately 0.4m per 100 seconds between DVL updates. The 200m altitude ceiling matches typical survey altitude profiles for multibeam bathymetry operations. | Test | subsystem, navigation, session-316, idempotency:sub-nav-dvl-accuracy-316 |
| SUB-FUNC-003 | The Navigation Processor SHALL fuse INS, DVL, USBL, depth sensor, and GPS inputs via an extended Kalman filter and output filtered position, velocity, and attitude at a minimum rate of 50 Hz with latency not exceeding 5 ms from sensor input to navigation solution output. Rationale: 50 Hz output rate matches the vehicle management computer control loop. 5ms latency bound ensures navigation solution freshness for real-time obstacle avoidance and trajectory tracking. EKF architecture selected for computational tractability on embedded processors while providing optimal state estimation. | Test | subsystem, navigation, session-316, idempotency:sub-nav-processor-fusion-316 |
| SUB-FUNC-004 | When any navigation sensor input fails or produces measurements outside its validity envelope, the Navigation Processor SHALL detect the fault within 500 ms, exclude the faulty sensor from the filter, and continue producing a valid navigation solution using remaining sensors. Rationale: Sensor failures underwater cannot be manually detected or repaired. The 500ms detection window limits position error accumulation to 0.75m at 3 knots before isolation. The filter must be robust to single-sensor loss to maintain mission continuity for the 24-hour endurance requirement. | Test | subsystem, navigation, session-316, idempotency:sub-nav-fdi-316 |
| SUB-FUNC-005 | The USBL Acoustic Transponder SHALL provide absolute position fixes with accuracy of 0.1 percent of slant range or better when interrogated by a ship-mounted USBL array, at depths up to 6000m and horizontal ranges up to 4000m. Rationale: At maximum operating depth of 6000m with 4000m horizontal offset, slant range is approximately 7200m. 0.1% yields 7.2m position accuracy, sufficient to bound long-term INS drift during mid-water transits where DVL bottom-track is unavailable. | Test | subsystem, navigation, session-316, idempotency:sub-nav-usbl-accuracy-316 |
| SUB-FUNC-006 | The Depth Pressure Sensor SHALL measure hydrostatic depth from 0 to 6500m with accuracy of 0.01 percent full scale and response time not exceeding 50 ms, outputting calibrated depth at a minimum of 10 Hz. Rationale: 0.01% of 6500m yields 0.65m depth accuracy, which constrains the vertical component of the EKF state estimate. The 50ms response time ensures depth data is current during vertical manoeuvres. 10Hz output rate provides adequate vertical channel update for the 50Hz navigation filter. | Test | subsystem, navigation, session-316, idempotency:sub-nav-depth-accuracy-316 |
| SUB-FUNC-007 | The Surface GPS Antenna Module SHALL acquire a valid GPS position fix within 60 seconds of the antenna clearing the water surface and SHALL provide UTC time reference accurate to 100 nanoseconds for navigation data timestamping. Rationale: Surfacing windows are operationally constrained to minimise surface exposure in high-traffic areas. 60-second acquisition time allows GPS recalibration within a typical 5-minute surface interval. 100ns UTC accuracy ensures timestamp coherence across all sensor data for post-mission processing. | Test | subsystem, navigation, session-316, idempotency:sub-nav-gps-ttff-316 |
| SUB-FUNC-008 | When both DVL and USBL aiding sources are unavailable, the Navigation Processor SHALL maintain position estimation using INS-only dead reckoning with position uncertainty growth rate not exceeding 0.5 percent of distance travelled, for a minimum of 30 minutes. Rationale: DVL loss occurs above 200m altitude; USBL loss occurs beyond acoustic range or in acoustic shadow zones. 30 minutes of INS-only operation at 3 knots covers approximately 2.8km, with 0.5% drift yielding 14m uncertainty — sufficient for the vehicle to descend to DVL range or transit to USBL coverage. | Analysis | subsystem, navigation, session-316, idempotency:sub-nav-degraded-316 |
| SUB-FUNC-009 | The Lithium-Ion Battery Pack SHALL provide a minimum usable energy capacity of 10 kWh at beginning of life with no more than 20 percent capacity degradation after 500 full charge-discharge cycles, at a nominal bus voltage of 48V DC. Rationale: 10kWh at 3-knot cruise with 400W hotel load supports the 24-hour mission requirement with 15% energy margin. 500-cycle life provides 3 years of weekly deployment operations. 48V bus minimises conductor mass for the 500W peak power draw. | Test | subsystem, power, session-316, idempotency:sub-pwr-battery-capacity-316 |
| SUB-FUNC-010 | The Battery Management System SHALL detect cell over-voltage exceeding 4.25V, under-voltage below 2.5V, over-temperature exceeding 60 degrees C, and cell imbalance exceeding 100mV within 100 ms, and SHALL activate an independent hardware protection circuit to disconnect the affected cell string. Rationale: NCA cells risk thermal runaway above 60C or when overcharged past 4.25V. 100ms detection window limits energy release during a cell fault to levels manageable by the oil-filled enclosure thermal mass. Hardware protection circuit is independent of software BMS to provide defense-in-depth. | Test | subsystem, power, session-316, idempotency:sub-pwr-bms-safety-316 |
| SUB-FUNC-011 | The Battery Management System SHALL estimate state-of-charge with accuracy within 5 percent of actual remaining capacity and SHALL report remaining energy and estimated time-to-depletion to the Vehicle Management Computer at 1 Hz. Rationale: 5% SOC accuracy provides the VMC with reliable data for mission abort decisions. The vehicle must surface with at least 10% energy reserve for recovery operations; a 5% estimation error still leaves a 5% true margin above the minimum. | Test | subsystem, power, session-316, idempotency:sub-pwr-bms-soc-316 |
| SUB-FUNC-012 | The Power Distribution Unit SHALL isolate any faulted load channel within 10 ms of detecting an overcurrent condition exceeding 150 percent of rated channel current, without disrupting power to other channels. Rationale: 10ms isolation prevents fault propagation to the battery bus which would black out the entire vehicle. Solid-state switching enables the speed required — electromechanical relays cannot reliably achieve sub-50ms switching in pressure-compensated oil at low temperatures. | Test | subsystem, power, session-316, idempotency:sub-pwr-pdu-isolation-316 |
| SUB-FUNC-013 | The DC-DC Converter Module SHALL maintain output voltage regulation within 1 percent on all rails under load transients up to 200 percent of rated current for durations up to 100 ms, with combined conversion efficiency not less than 94 percent at 50 percent rated load. Rationale: Thruster start-up transients produce 2x current spikes lasting approximately 50ms. 1% regulation prevents sensor subsystem brownout during these events. 94% efficiency at typical operating point limits thermal dissipation to under 21W, within the oil-bath cooling capacity. | Test | subsystem, power, session-316, idempotency:sub-pwr-dcdc-regulation-316 |
| SUB-FUNC-014 | The Motor Drive Electronics SHALL execute field-oriented control commutation of the Brushless DC Propulsion Motor with switching frequency no less than 20 kHz to keep switching harmonics above the 10 Hz to 1 kHz hydroacoustic survey band. Rationale: SYS-FUNC-009 constrains propulsion noise to 130 dB re 1 uPa at 1m in 10Hz-1kHz. BLDC commutation produces harmonics at the switching frequency and its multiples. Keeping switching above 20kHz ensures these harmonics fall outside the constrained band. FOC specifically minimises torque ripple compared to trapezoidal commutation, reducing broadband mechanical noise transmitted through the shaft to the propeller. | Test | subsystem, propulsion, motor-drive, session-317, idempotency:sub-mde-foc-317 |
| SUB-FUNC-015 | The Motor Drive Electronics SHALL regulate propulsion motor speed to within 1 percent of the commanded RPM under load variations from zero thrust to maximum rated thrust of 150 N. Rationale: Precise speed control is necessary to maintain consistent cruise velocity for survey track accuracy. The Navigation Processor relies on stable propulsion output to predict vehicle trajectory. One percent tolerance ensures that speed perturbations from current or payload drag do not accumulate into unacceptable cross-track error during bathymetric survey lines. | Test | subsystem, propulsion, motor-drive, session-317, idempotency:sub-mde-speed-317 |
| SUB-FUNC-016 | The Brushless DC Propulsion Motor SHALL deliver continuous mechanical output power of at least 250 W at 3-knot cruise speed with electrical-to-mechanical efficiency no less than 88 percent across the operating depth range of 0 to 6000 m. Rationale: SYS-FUNC-001 requires 24-hour mission endurance at 3-knot cruise with 10 kWh battery capacity. At 250W mechanical output and 88 percent efficiency, electrical draw is approximately 284W, consuming 6.8 kWh over 24 hours and leaving margin for payload, hotel loads, and battery ageing. Below 88 percent, the power budget cannot support full mission duration with adequate reserves. | Test | subsystem, propulsion, bldc-motor, session-317, idempotency:sub-bldc-power-317 |
| SUB-FUNC-017 | The Brushless DC Propulsion Motor SHALL not contribute more than 120 dB re 1 uPa at 1 m radiated noise in the 10 Hz to 1 kHz frequency band when operating at continuous cruise power. Rationale: SYS-FUNC-009 sets the total propulsion noise budget at 130 dB re 1 uPa at 1m. The motor shares this budget with the propeller, shaft bearings, and control surface servos. Allocating 120 dB to the motor leaves 10 dB margin for the propeller and other mechanical sources to sum below the 130 dB system limit. Motor noise sources include electromagnetic torque ripple, bearing vibration, and housing resonances transmitted through the structure. | Test | subsystem, propulsion, bldc-motor, session-317, idempotency:sub-bldc-noise-317 |
| SUB-FUNC-018 | The Propeller and Shaft Assembly SHALL produce at least 80 N of thrust at 3-knot cruise speed with cavitation inception speed no less than 4.5 knots at any operating depth from 0 to 6000 m. Rationale: 80 N thrust at 3 knots matches the estimated drag of a 350 kg, 4.5 m torpedo-form AUV at cruise. Cavitation inception above 4.5 knots ensures the propeller operates cavitation-free through the entire cruise and maneuvering envelope. At depth, hydrostatic pressure raises cavitation inception naturally, so the surface condition is the binding constraint. Cavitation would generate broadband noise violating SYS-FUNC-009. | Test | subsystem, propulsion, propeller, session-317, idempotency:sub-prop-thrust-317 |
| SUB-FUNC-019 | The Propeller and Shaft Assembly magnetic coupling SHALL transfer torque of at least 5 Nm continuously and 12 Nm peak without slippage or demagnetisation across the operating temperature range of 1 to 35 degrees Celsius. Rationale: Continuous 5 Nm at cruise RPM delivers the 250W mechanical output required by the motor specification with margin. Peak 12 Nm covers startup transients and current-induced load spikes. The coupling must not slip under any operational condition because slippage would leave the vehicle without propulsion and unable to return. Temperature range covers Arctic to tropical deployment conditions per stakeholder ConOps. | Test | subsystem, propulsion, propeller, session-317, idempotency:sub-prop-coupling-317 |
| SUB-FUNC-020 | The Control Surface Actuator Assembly SHALL deflect each control fin through a range of plus or minus 30 degrees with angular resolution of 0.1 degrees and full-sweep response time no greater than 200 ms. Rationale: 30-degree deflection range provides adequate authority for depth changes, turns, and obstacle avoidance at 3-knot cruise speed. 0.1-degree resolution is needed to maintain cross-track accuracy within 2 m during survey operations where small heading corrections dominate. 200 ms response time ensures the autopilot control loop at 10 Hz can achieve effective closed-loop bandwidth for trajectory tracking. | Test | subsystem, propulsion, control-surfaces, session-317, idempotency:sub-csaa-deflection-317 |
| SUB-FUNC-021 | The Buoyancy Trim System SHALL adjust vehicle displacement by plus or minus 2 kg equivalent at a transfer rate of no less than 50 mL per minute against ambient pressure up to 600 bar. Rationale: Plus or minus 2 kg displacement range covers the buoyancy variation from payload configuration changes, water density stratification from surface to 6000 m depth, and temperature-driven hull compression. The 50 mL per minute transfer rate allows full trim adjustment within 3 minutes, which is acceptable for pre-dive trimming and gradual depth-hold corrections. Operating against 600 bar requires a high-pressure hydraulic pump rated for the full depth envelope. | Test | subsystem, propulsion, buoyancy-trim, session-317, idempotency:sub-bts-displacement-317 |
| SUB-FUNC-022 | When motor winding temperature exceeds 120 degrees Celsius or phase current exceeds 25 A, the Motor Drive Electronics SHALL reduce output power to 50 percent within 100 ms and report the fault condition to the Vehicle Management Computer. Rationale: Over-temperature and over-current are the two primary failure modes for BLDC drives in sealed, oil-filled housings where convective cooling is limited. 120 degrees Celsius is the typical winding insulation limit for Class F insulation common in subsea motors. 25 A at 48V represents 1200W, well above the 800W peak rating, indicating a short-circuit or mechanical stall. Graceful derating to 50 percent preserves some propulsion for return-to-base rather than full shutdown. | Test | subsystem, propulsion, motor-drive, session-317, idempotency:sub-mde-fault-317 |
| SUB-FUNC-023 | The Control Surface Actuator Assembly servo housings SHALL withstand continuous external hydrostatic pressure of 600 bar with a safety factor of 1.5 on yield strength while maintaining fin actuation performance within specification. Rationale: Each fin actuator servo is exposed to full ocean depth pressure. SYS-FUNC-010 requires the vehicle structure to withstand 600 bar with 1.5 safety factor. The same structural criterion applies to actuator housings because a flooded servo would disable the associated control axis, potentially rendering the vehicle uncontrollable. Oil-filled housings eliminate differential pressure but the housing must still contain the oil and protect electronics. | Analysis | subsystem, propulsion, control-surfaces, session-317, idempotency:sub-csaa-pressure-317 |
| SUB-FUNC-024 | The Drop Weight Release Mechanism SHALL jettison the 15 kg tungsten ballast mass within 2 seconds of receiving the release command from the Emergency Surfacing Controller, achieving net positive buoyancy of at least 8 kg at any depth from 0 to 6000 m. Rationale: The 2-second release time derives from the 120-second emergency surfacing window in STK-OPS-002 minus ascent time at terminal velocity. 8 kg positive buoyancy at 350 kg vehicle mass yields approximately 0.7 m/s terminal ascent velocity, reaching surface from 6000m in approximately 140 minutes. The 15 kg ballast provides margin for seawater density variations and any entanglement drag. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-dropweight-release-318 |
| SUB-FUNC-025 | The Drop Weight Release Mechanism SHALL include a nichrome burn-wire backup release that activates independently of the primary solenoid latch, triggered by the Emergency Surfacing Controller via a separate circuit, and SHALL complete ballast release within 15 seconds of burn-wire activation at any temperature between 2 and 30 degrees Celsius. Rationale: The burn-wire provides a diverse redundant release path addressing common-cause failure of the solenoid mechanism (e.g., mechanical seizure from corrosion or pressure deformation). 15-second activation accounts for thermal inertia of the nichrome element at deep-ocean temperatures (2-4 degrees C) where heat dissipation into surrounding seawater slows wire heating. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-dropweight-burnwire-318 |
| SUB-FUNC-026 | When any emergency surfacing trigger is asserted (watchdog timeout, leak detection, battery critical, or VMC abort command), the Emergency Surfacing Controller SHALL initiate the emergency surfacing sequence within 500 ms, including: issuing the drop weight release command, de-energising non-essential load channels via the Power Distribution Unit, and activating the Acoustic Emergency Pinger. Rationale: The 500 ms initiation time ensures the emergency sequence begins well within the first second of fault detection, preserving maximum battery reserve for beacon operation on the surface. The sequence order (drop weight first, then load shed, then pinger) prioritises buoyancy recovery over diagnostics. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-esc-sequence-318 |
| SUB-FUNC-027 | The Emergency Surfacing Controller SHALL operate from a dedicated lithium primary emergency battery providing at least 48 hours of continuous ESC operation, independent of the main Lithium-Ion Battery Pack and main power bus. Rationale: Power independence ensures the ESC can execute emergency surfacing even after complete main battery depletion, which is a credible failure mode during extended missions. 48-hour capacity covers the maximum plausible time from main battery failure through surfacing and surface beacon operation until recovery. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-esc-power-318 |
| SUB-FUNC-028 | The Emergency Surfacing Controller SHALL implement two-of-three majority voting on all safety-critical inputs (watchdog timeout, leak detection, battery critical low) using three independent input channels per signal, and SHALL reject single-channel transient faults of duration less than 100 ms. Rationale: Triple-redundant voting prevents spurious emergency surfacing from single-channel transient faults (EMI, connector intermittency) which would abort an expensive deep-ocean mission unnecessarily. The 100 ms debounce window filters noise without compromising response time for genuine faults, as real failure modes (water ingress, VMC hang) persist well beyond 100 ms. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-esc-voting-318 |
| SUB-FUNC-029 | The Emergency Locator Beacon SHALL activate automatically within 10 seconds of detecting ambient pressure below 1.5 bar and SHALL transmit VHF AIS SART signals on 156.525 MHz detectable by vessels at a minimum range of 10 nautical miles, and illuminate a xenon strobe visible at 3 nautical miles in darkness. Rationale: The 1.5 bar pressure threshold reliably distinguishes surface conditions from submerged operation with margin for wave action. AIS SART on 156.525 MHz is the standard maritime distress frequency monitored by all SOLAS-equipped vessels and shore stations, ensuring maximum detection probability. The 3 NM strobe range matches typical nighttime visual search patterns for small objects. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-beacon-activation-318 |
| SUB-FUNC-030 | The Emergency Locator Beacon SHALL sustain continuous VHF transmission and strobe operation for at least 72 hours from a dedicated lithium primary cell without dependence on any other vehicle power source. Rationale: 72-hour continuous operation aligns with SOLAS LSA Code requirements for EPIRBs and accounts for worst-case recovery scenarios in remote ocean areas where rescue vessel transit may take 48+ hours. Lithium primary chemistry provides stable voltage output across the temperature range and 10-year shelf life for pre-deployment storage. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-beacon-battery-318 |
| SUB-FUNC-031 | The Acoustic Emergency Pinger SHALL transmit at 37.5 kHz with source level of at least 185 dB re 1 uPa at 1 m, pulse duration of 10 ms at 1 pulse per second, and SHALL operate continuously for at least 90 days from a dedicated lithium primary cell rated to 700 bar. Rationale: 37.5 kHz is the standard frequency for underwater acoustic search receivers used by naval and commercial salvage operations (per IHO standards). 185 dB source level ensures detection at ranges exceeding 3 km in typical deep-ocean acoustic conditions. 90-day operation covers the time required to mobilise deep-ocean search and recovery assets, which may take weeks in remote areas. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-pinger-spec-318 |
| SUB-FUNC-032 | The Leak Detection Sensor Array SHALL detect water ingress of 0.5 ml or greater at any hull penetrator location and report the alarm to the Emergency Surfacing Controller within 500 ms of water contact, and SHALL distinguish between condensation (humidity rise above 85 percent RH sustained for more than 60 seconds) and active leak (liquid water contact). Rationale: 0.5 ml detection threshold catches leaks early enough to initiate surfacing before water reaches electronics. The 500 ms response time ensures the ESC receives the alarm within its decision cycle. Distinguishing condensation from active leaks prevents false emergency surfacing: internal hull condensation is common in AUVs operating in thermocline regions and does not warrant mission abort. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-leak-detection-318 |
| SUB-FUNC-033 | The Hardware Watchdog Timer SHALL require a heartbeat pulse from the Vehicle Management Computer at intervals not exceeding 30 seconds, and SHALL assert a hardware interrupt to the Emergency Surfacing Controller within 100 ms of timeout expiry, operating from the emergency power rail independent of the main power bus. Rationale: The 30-second heartbeat interval balances between catching genuine VMC failures promptly and tolerating transient processing delays during computationally intensive mission phases (e.g., sonar data processing). 100 ms assertion time ensures the ESC receives a clean, debounced interrupt. Power independence from the main bus ensures the watchdog functions even during main battery brownout scenarios. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-watchdog-spec-318 |
| SUB-FUNC-034 | When the primary solenoid release of the Drop Weight Release Mechanism fails to confirm ballast release within 5 seconds, the Emergency Surfacing Controller SHALL automatically activate the burn-wire backup release and SHALL log the primary release failure to non-volatile memory for post-mission analysis. Rationale: The 5-second timeout for primary release confirmation provides sufficient margin beyond the 2-second nominal release time to account for mechanical stiction at extreme depth, while remaining short enough that the burn-wire backup activates well within the overall emergency timeline. NVM logging enables post-recovery failure analysis without relying on the VMC which may have already failed. | Test | subsystem, emergency-safety, session-318, idempotency:sub-ess-esc-fallback-318 |
| SUB-FUNC-035 | The Multibeam Echosounder SHALL acquire bathymetric depth measurements with 256 equidistant beams across a 120-degree swath, achieving lateral resolution of 0.5 m and vertical depth accuracy of 0.1 m at survey altitude of 50 m above the seabed. Rationale: Lateral resolution of 0.5m and 0.1m vertical accuracy are derived from IHO S-44 Order 1a survey standards required by STK-OPS-003. 256 beams at 120-degree swath achieves full bottom coverage at 50m altitude with appropriate beam overlap. | Test | subsystem, sensor-payload, mbes, session-319, idempotency:sub-mbes-resolution-319 |
| SUB-FUNC-036 | The Multibeam Echosounder SHALL accept real-time sound velocity profile updates from the CTD Sensor Package and apply ray-tracing corrections to all beam depth calculations within the same ping cycle. Rationale: Without real-time sound velocity correction, refraction errors in thermocline conditions can exceed 1% of water depth. Applying correction within the same ping cycle prevents stale-SV artifacts visible as depth banding in post-processed bathymetry. | Test | subsystem, sensor-payload, mbes, session-319, idempotency:sub-mbes-svp-319 |
| SUB-FUNC-037 | The Multibeam Echosounder SHALL operate at a centre frequency of 400 kHz with source level not exceeding 220 dB re 1 uPa at 1 m, and SHALL not contribute more than 130 dB re 1 uPa at 1 m of radiated noise outside its operating band. Rationale: 400 kHz is standard for high-resolution near-bottom bathymetry; 220 dB source level provides adequate signal-to-noise at 100m range. Out-of-band radiated noise limit of 130 dB re 1 uPa aligns with SYS-FUNC-009 environmental noise constraint. | Test | subsystem, sensor-payload, mbes, session-319, idempotency:sub-mbes-acoustic-319 |
| SUB-FUNC-038 | The Digital Still Camera SHALL capture 24-megapixel images at a configurable trigger rate of 1 to 10 Hz, with each image geotagged to the navigation solution within 1 ms of shutter activation. Rationale: 24 MP provides 2cm/pixel at 5m altitude which is the minimum for seabed feature identification per STK-OPS-003 optical imagery requirement. 1ms geotag accuracy ensures pixel-level positional alignment for photomosaic stitching. | Test | subsystem, sensor-payload, camera, session-319, idempotency:sub-camera-capture-319 |
| SUB-FUNC-039 | The Digital Still Camera LED array SHALL provide at least 12000 lumens of uniform illumination across the camera field of view with colour temperature of 5500 K plus or minus 500 K to ensure consistent white balance for seabed imagery at altitudes from 2 to 10 m. Rationale: 12000 lumens provides adequate exposure for 24MP capture at 5m altitude in zero-ambient-light deep ocean conditions. 5500K approximates daylight balance, critical for colour-accurate habitat classification from optical imagery. | Test | subsystem, sensor-payload, camera, session-319, idempotency:sub-camera-led-319 |
| SUB-FUNC-040 | The CTD Sensor Package SHALL measure conductivity with accuracy of 0.003 PSU, temperature with accuracy of 0.001 degrees Celsius, and pressure with accuracy of 0.01 percent of full scale, sampling at 24 Hz via pumped flow path. Rationale: Conductivity and temperature accuracies are required to compute sound velocity to 0.05 m/s, which limits MBES depth error contribution from sound velocity uncertainty to less than 0.01% of depth. 24 Hz sample rate resolves thin thermocline layers during vertical profiling. | Test | subsystem, sensor-payload, ctd, session-319, idempotency:sub-ctd-accuracy-319 |
| SUB-FUNC-041 | The Sensor Payload Processor SHALL synchronise all sensor data acquisition timestamps to a PPS-disciplined clock with jitter not exceeding 10 microseconds, and SHALL apply real-time georeferencing using the navigation solution received at 50 Hz from the Navigation Processor. Rationale: 10 microsecond PPS jitter ensures sub-millimetre spatial error at 3 knots cruise speed. 50 Hz navigation updates are the native output rate of the Navigation Processor (SUB-FUNC-003) providing sub-ping-interval position interpolation for MBES beam georeferencing. | Test | subsystem, sensor-payload, payload-processor, session-319, idempotency:sub-spp-sync-319 |
| SUB-FUNC-042 | The Sensor Payload Processor SHALL sustain aggregate sensor data write throughput of at least 200 MB/s to the Mass Storage Array during concurrent multibeam, camera, and CTD data acquisition. Rationale: Peak data rate is driven by concurrent MBES water-column data at 150 MB/s plus 24MP camera images at 40 MB/s plus CTD at 0.1 MB/s. 200 MB/s provides 5% headroom for filesystem overhead and metadata. Derived from SYS-FUNC-006 sustained write requirement. | Test | subsystem, sensor-payload, payload-processor, session-319, idempotency:sub-spp-throughput-319 |
| SUB-FUNC-043 | The Mass Storage Array SHALL provide at least 4 TB of usable storage capacity with RAID-1 mirroring across two independent NVMe drives, and SHALL detect and report single-drive failure to the Sensor Payload Processor within 100 ms without data loss. Rationale: 4 TB capacity derived from SYS-FUNC-006. RAID-1 ensures no data loss from single-drive failure during a 24-hour mission at 200 MB/s peak write rate. 100 ms failure detection enables the payload processor to log the event and alert VMC before any write buffer overflow. | Test | subsystem, sensor-payload, storage, session-319, idempotency:sub-msa-capacity-319 |
| SUB-FUNC-044 | When any individual sensor fails or becomes unavailable, the Sensor Payload Processor SHALL continue acquiring and storing data from all remaining operational sensors without interruption, and SHALL log the fault with timestamp and sensor identity to the mission log. Rationale: Single sensor failure must not abort the mission or corrupt other sensor data streams. Oceanographic AUV missions are expensive to repeat and partial survey data retains significant value for the operator. | Demonstration | subsystem, sensor-payload, payload-processor, session-319, idempotency:sub-spp-degraded-319 |
| SUB-FUNC-045 | The Acoustic Modem SHALL provide half-duplex digital communication at a minimum data rate of 3 kbps at horizontal ranges up to 5 km in typical ocean sound velocity conditions, with bit error rate not exceeding 1e-6. Rationale: 3 kbps at 5 km range enables mission status telemetry and abort commands while the AUV operates within a realistic survey box relative to the support vessel. 1e-6 BER ensures command integrity without excessive retransmission overhead on the low-bandwidth link. | Test | subsystem, communications, acoustic-modem, session-319, idempotency:sub-amodem-range-319 |
| SUB-FUNC-046 | The Iridium SBD Transceiver SHALL transmit a position report containing GPS coordinates, battery state-of-charge, and mission status within 90 seconds of the antenna clearing the sea surface, and SHALL repeat position reports at intervals not exceeding 5 minutes while surfaced. Rationale: 90-second first-report time accounts for GPS cold start (60s per SUB-FUNC-007) plus Iridium network registration (30s typical). 5-minute repeat interval derives from SYS-FUNC-008 requirement and provides adequate tracking granularity for the support vessel. | Test | subsystem, communications, iridium, session-319, idempotency:sub-iridium-report-319 |
| SUB-FUNC-047 | The Wi-Fi Radio Module SHALL sustain data transfer throughput of at least 100 MB/s at ranges up to 200 m line-of-sight from the support vessel, enabling offload of a 4 TB mission dataset within 12 hours. Rationale: 100 MB/s sustained throughput at 200m provides realistic offload capability while the AUV bobs on the surface near the vessel. 12-hour offload window matches typical overnight recovery-to-redeployment cycle for oceanographic survey operations. | Test | subsystem, communications, wifi, session-319, idempotency:sub-wifi-offload-319 |
| SUB-FUNC-048 | The Communications Controller SHALL buffer outbound messages in non-volatile memory with capacity for at least 1000 messages and SHALL deliver buffered messages in priority order when the appropriate link becomes available, without message loss across controller or VMC restarts. Rationale: Non-volatile buffering ensures critical mission events logged during submerged operation are not lost if the VMC restarts or acoustic link is intermittent. 1000-message capacity covers 24 hours of 1-per-minute telemetry plus emergency events. | Test | subsystem, communications, controller, session-319, idempotency:sub-cc-buffer-319 |
| SUB-FUNC-049 | The Communications Controller SHALL encrypt all command and control messages using AES-256-GCM with per-session key exchange, and SHALL reject any command that fails authentication or integrity verification. Rationale: AUV command channel must be encrypted to prevent unauthorised control of the vehicle in open-ocean operations. AES-256-GCM provides authenticated encryption suitable for low-bandwidth acoustic links with minimal overhead. | Test | subsystem, communications, controller, security, session-319, idempotency:sub-cc-crypto-319 |
| SUB-FUNC-050 | The Main Pressure Hull Cylinder SHALL withstand continuous external hydrostatic pressure of 600 bar at 6000 m depth with a minimum safety factor of 1.5 on yield stress, and SHALL be proof-tested to 900 bar before first deployment. Rationale: 600 bar at 6000m is the design operating pressure. Safety factor of 1.5 on yield for Ti-6Al-4V (880 MPa yield) provides margin for manufacturing variation and fatigue. 900 bar proof test (1.5x operating) verifies structural integrity per DNV-GL rules for underwater vehicles. | Test | subsystem, hull, session-319, idempotency:sub-hull-pressure-319 |
| SUB-FUNC-051 | The Pressure Hull and Structure including all endcaps, fairing, penetrators, and internal mounting frame SHALL not exceed 140 kg dry mass, providing at least 210 kg payload mass allocation within the 350 kg total vehicle mass budget. Rationale: 140 kg hull mass allocation is derived from SYS-FUNC-007 total 350 kg vehicle mass. Leaves 210 kg for batteries (80 kg), electronics (30 kg), sensors (40 kg), propulsion (25 kg), and safety systems (15 kg) with 20 kg margin. | Inspection | subsystem, hull, session-319, idempotency:sub-hull-mass-319 |
| SUB-FUNC-052 | The Aft Endcap and Shaft Seal Assembly SHALL maintain pressure-tight integrity at the propeller shaft penetration at all depths to 6000 m, with oil-compensated cavity maintaining at least 0.5 bar overpressure relative to ambient at all depths. Rationale: Oil-compensated shaft seal is the most failure-prone hull element. 0.5 bar overpressure ensures outward oil flow past the seal lips, preventing water ingress even with seal wear. Failure of this seal is a vehicle-loss scenario. | Test | subsystem, hull, session-319, idempotency:sub-hull-shaft-seal-319 |
| SUB-FUNC-053 | Each Hull Penetrator in the Hull Penetrator Array SHALL be individually pressure-tested to 900 bar and SHALL maintain electrical isolation of at least 100 megaohms between conductors and hull body at all depths to 6000 m. Rationale: Individual penetrator proof testing to 1.5x operating pressure catches manufacturing defects before hull integration. 100 megaohm isolation prevents ground loops and ensures safety of high-voltage power penetrators (48V battery bus) in seawater. | Test | subsystem, hull, session-319, idempotency:sub-hull-penetrator-319 |
| SUB-FUNC-054 | The Free-Flood Fairing SHALL provide a vehicle drag coefficient not exceeding 0.15 referenced to frontal area at Reynolds numbers corresponding to 1 to 5 knot forward speed, and SHALL be removable in field conditions using standard hand tools within 30 minutes. Rationale: Cd of 0.15 at fineness ratio 8:1 is achievable with a well-designed torpedo-form fairing and directly affects endurance (SYS-FUNC-001 24-hour mission). 30-minute field removal enables at-sea maintenance access without specialised tooling. | Test | subsystem, hull, session-319, idempotency:sub-hull-fairing-319 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-INTERFACEDEFINITIONS-001 | The interface between the Inertial Navigation Unit and the Navigation Processor SHALL transfer 6-DOF inertial measurement data at 200 Hz over a synchronous serial link with maximum latency of 1 ms and bit error rate not exceeding 1e-9. Rationale: 200Hz IMU data requires deterministic low-latency delivery for real-time EKF updates. 1ms latency budget allocated from the 5ms total sensor-to-output pipeline. 1e-9 BER prevents corrupted IMU samples that could cause filter divergence. | Test | interface, navigation, session-316, idempotency:ifc-ins-navproc-316 |
| IFC-INTERFACEDEFINITIONS-002 | The interface between the Doppler Velocity Log and the Navigation Processor SHALL transmit 3-axis velocity, altitude, and beam validity data at 5 Hz over RS-422 serial at 115200 baud, with each message including a CRC-16 integrity check. Rationale: RS-422 differential signalling provides noise immunity in the electromagnetically noisy hull environment near thrusters. CRC-16 integrity check ensures corrupt velocity data does not enter the EKF, which is sensitive to velocity measurement errors. | Test | interface, navigation, session-316, idempotency:ifc-dvl-navproc-316 |
| IFC-INTERFACEDEFINITIONS-003 | The interface between the USBL Acoustic Transponder and the Navigation Processor SHALL deliver position fix messages containing latitude, longitude, depth, and position uncertainty estimate, with message reception latency not exceeding 200 ms from acoustic reception to navigation processor input. Rationale: 200ms latency budget accounts for acoustic propagation time compensation. Position uncertainty estimate is required for the EKF to correctly weight USBL fixes, which vary in accuracy with range and acoustic conditions. | Test | interface, navigation, session-316, idempotency:ifc-usbl-navproc-316 |
| IFC-INTERFACEDEFINITIONS-004 | The interface between the Navigation Processor and the Vehicle Management Computer SHALL transmit the fused navigation solution at 50 Hz over Ethernet UDP with message format including position, velocity, attitude, position uncertainty, and sensor health status, with end-to-end latency not exceeding 2 ms. Rationale: The VMC control loop runs at 50Hz and requires synchronous navigation updates. Ethernet UDP chosen for bandwidth and to support the full state vector including uncertainty. 2ms latency budget is the allocation from the 5ms total navigation pipeline to the VMC interface. | Test | interface, navigation, session-316, idempotency:ifc-navproc-vmc-316 |
| IFC-INTERFACEDEFINITIONS-005 | The interface between the Depth Pressure Sensor and the Navigation Processor SHALL transmit calibrated depth and water temperature at 10 Hz over RS-485 serial, with each message including sensor status flags and a sequence counter for data loss detection. Rationale: RS-485 selected for multi-drop capability allowing the depth sensor to also feed the emergency subsystem on the same bus. Sequence counter enables the navigation processor to detect missed samples that would degrade vertical channel estimation. | Test | interface, navigation, session-316, idempotency:ifc-depth-navproc-316 |
| IFC-INTERFACEDEFINITIONS-006 | The interface between the Battery Management System and the Vehicle Management Computer SHALL transmit battery status messages at 1 Hz over CAN bus, containing cell voltages, pack temperature, state-of-charge, remaining energy in Wh, estimated time to depletion, and fault flags. Rationale: CAN bus selected for robustness in the electrically noisy power compartment and deterministic message scheduling. 1Hz update rate matches VMC mission planning loop. Remaining energy in Wh is the actionable metric for mission abort decisions. | Test | interface, power, session-316, idempotency:ifc-bms-vmc-316 |
| IFC-INTERFACEDEFINITIONS-007 | The interface between the Vehicle Management Computer and the Power Distribution Unit SHALL support individual channel enable and disable commands with acknowledgement, and the PDU SHALL execute load shed commands within 50 ms of receipt. Rationale: VMC-controlled load shedding enables intelligent mission extension by disabling non-essential subsystems as energy depletes. 50ms execution time ensures load shedding takes effect before energy reaches critical reserve levels during transient overload events. | Test | interface, power, session-316, idempotency:ifc-vmc-pdu-316 |
| IFC-INTERFACEDEFINITIONS-008 | The interface between the Motor Drive Electronics and the Brushless DC Propulsion Motor SHALL carry 3-phase sinusoidal current up to 25 A per phase at switching frequency of 20 kHz minimum via shielded power cables no longer than 500 mm, and return Hall-effect rotor position feedback at 10 kHz sample rate. Rationale: Short cable run minimises EMI radiation and voltage drop. Shielding prevents switching noise from coupling into nearby sensor cables. Hall-effect feedback at 10 kHz provides sufficient rotor position resolution for smooth FOC commutation at the maximum motor speed. The bidirectional nature of this interface (power down, feedback up) requires careful cable routing to prevent crosstalk. | Test | interface, propulsion, session-317, idempotency:ifc-mde-bldc-317 |
| IFC-INTERFACEDEFINITIONS-009 | The interface between the Vehicle Management Computer and the Motor Drive Electronics SHALL use CAN 2.0B at 250 kbps to transmit speed commands at 10 Hz update rate and receive motor status telemetry including RPM, phase current, winding temperature, and fault flags at 10 Hz. Rationale: CAN bus is the standard subsea vehicle control bus, providing differential signalling with noise immunity suitable for operation near high-current motor drives. 250 kbps bandwidth supports the 10 Hz command and telemetry cycle with margin for other CAN nodes. 10 Hz update rate matches the autopilot control loop frequency. Motor telemetry is essential for the VMC to detect fault conditions and implement power management. | Test | interface, propulsion, session-317, idempotency:ifc-vmc-mde-317 |
| IFC-INTERFACEDEFINITIONS-010 | The interface between the Vehicle Management Computer and the Control Surface Actuator Assembly SHALL use CAN 2.0B at 250 kbps to transmit fin deflection angle commands for rudder, elevator, and roll fins at 10 Hz and receive actual fin position feedback and actuator health status at 10 Hz. Rationale: Three-axis control requires coordinated fin commands at the autopilot update rate. CAN bus allows all fin actuators to share a single bus segment with the motor drive. Position feedback closes the servo loop and allows the VMC to detect jammed or failed fins. Health status includes servo current draw and temperature for predictive maintenance and fault isolation. | Test | interface, propulsion, session-317, idempotency:ifc-vmc-csaa-317 |
| IFC-INTERFACEDEFINITIONS-011 | The interface between the Vehicle Management Computer and the Buoyancy Trim System SHALL use CAN 2.0B at 250 kbps to transmit target buoyancy offset commands and receive current oil volume position, pump pressure, pump motor current, and system fault status at 1 Hz update rate. Rationale: Buoyancy trimming is a slow process with time constants of minutes, so 1 Hz update rate is sufficient and conserves CAN bus bandwidth for higher-priority propulsion and steering messages. Pump pressure feedback is critical because operating the hydraulic pump against increasing ambient pressure as the vehicle descends requires monitoring to prevent pump stall. Oil volume position confirms that trim commands are being executed. | Test | interface, propulsion, session-317, idempotency:ifc-vmc-bts-317 |
| IFC-INTERFACEDEFINITIONS-012 | The interface between the Power Distribution Unit and the Motor Drive Electronics SHALL deliver 48 V DC power at up to 20 A continuous via a 2-conductor shielded cable with connector rated to 600 bar immersion pressure and include a solid-state switch enabling remote channel isolation by the PDU within 10 ms. Rationale: 48V at 20A provides 960W capacity, covering the 800W peak motor drive output plus conversion losses. The PDU must be able to isolate the motor drive channel remotely in case of a short circuit or thermal fault detected by the BMS or VMC. 10 ms isolation time matches SUB-FUNC-012 on the PDU side. Pressure-rated connectors are mandatory because the power cable passes through or between pressure-compensated housings at full ocean depth. | Test | interface, propulsion, session-317, idempotency:ifc-pdu-mde-317 |
| IFC-INTERFACEDEFINITIONS-013 | The interface between the Brushless DC Propulsion Motor and the Propeller and Shaft Assembly SHALL transfer torque through a rare-earth magnetic coupling with an air gap no greater than 8 mm across the pressure boundary, maintaining alignment concentricity within 0.05 mm under thermal expansion from 1 to 35 degrees Celsius. Rationale: The magnetic coupling is the critical pressure boundary between the oil-filled motor housing and the seawater-exposed propeller shaft. Air gap directly affects torque transfer capacity: every millimetre of gap reduces coupling strength significantly. 8 mm maximum accounts for the titanium pressure boundary wall thickness plus manufacturing tolerances. Concentricity within 0.05 mm prevents vibration-induced noise and bearing wear that would degrade acoustic performance. | Inspection | interface, propulsion, session-317, idempotency:ifc-bldc-prop-317 |
| IFC-INTERFACEDEFINITIONS-014 | The interface between the Leak Detection Sensor Array and the Emergency Surfacing Controller SHALL use an I2C bus at 100 kHz with dedicated interrupt lines per sensor zone, transmitting sensor status (leak detected, humidity percentage, sensor health) in a 4-byte message frame, with the ESC polling all sensors at 2 Hz and each sensor capable of asserting a hardware interrupt on water contact detection. Rationale: I2C is appropriate for the short cable runs inside the pressure hull (under 50 cm) and the low data rates required. Hardware interrupt lines per zone provide immediate notification without waiting for the polling cycle, critical for rapid leak response. 2 Hz polling provides continuous health monitoring and trend detection for condensation. | Test | interface, emergency-safety, session-318, idempotency:ifc-leak-esc-318 |
| IFC-INTERFACEDEFINITIONS-015 | The interface between the Hardware Watchdog Timer and the Emergency Surfacing Controller SHALL be a single dedicated GPIO line that transitions from high to low on watchdog timeout, with the ESC reading this input through its triple-redundant voting circuit. The GPIO signal SHALL be active-low, open-drain with a 10 kohm pull-up to the emergency power rail. Rationale: A dedicated GPIO line with active-low open-drain topology ensures fail-safe behaviour: if the watchdog timer itself fails or its power is lost, the line floats low (pulled by the pull-up through the voting circuit), triggering the emergency sequence. This is the simplest and most reliable interface for a single binary safety signal. | Test | interface, emergency-safety, session-318, idempotency:ifc-hwt-esc-318 |
| IFC-INTERFACEDEFINITIONS-016 | The interface between the Emergency Surfacing Controller and the Drop Weight Release Mechanism SHALL consist of two independent circuits: a 24 V solenoid drive line capable of sourcing 2 A for the primary release, and a separate burn-wire activation line capable of sourcing 5 A at 12 V for the backup nichrome wire. Both circuits SHALL include a release confirmation feedback signal (ballast-away microswitch) returning to the ESC. Rationale: Two independent release circuits implement the diverse redundancy architecture decision (ARC-ARCHITECTUREDECISIONS-005). The solenoid at 24 V/2 A provides instantaneous electromagnetic release; the burn-wire at 12 V/5 A provides thermal release via a separate mechanism. Confirmation feedback from a microswitch closes the loop so the ESC can detect primary release failure and escalate to burn-wire within 5 seconds. | Test | interface, emergency-safety, session-318, idempotency:ifc-esc-dropweight-318 |
| IFC-INTERFACEDEFINITIONS-017 | The interface between the Emergency Surfacing Controller and the Acoustic Emergency Pinger SHALL be a single activation line that enables pinger operation when pulled low by the ESC, with the pinger self-sustaining operation from its internal lithium primary cell once activated. The activation line SHALL be latching such that pinger operation continues even if the ESC subsequently loses power. Rationale: A latching activation ensures the pinger continues transmitting even if the ESC battery is exhausted during a prolonged seabed stranding. Self-sustaining operation from an internal cell provides 90-day autonomy independent of all other vehicle power systems, matching the search and recovery timeline for deep-ocean assets. | Test | interface, emergency-safety, session-318, idempotency:ifc-esc-pinger-318 |
| IFC-INTERFACEDEFINITIONS-018 | The interface between the Emergency Surfacing Controller and the Emergency Locator Beacon SHALL be a single activation line that arms the beacon for automatic surface activation. The beacon SHALL independently monitor ambient pressure and self-activate when pressure drops below 1.5 bar, drawing power from its internal 72-hour lithium primary cell. Rationale: Separating the arming function (ESC-controlled) from the activation function (pressure-triggered) ensures the beacon does not activate at depth, conserving its 72-hour battery for surface operations. The beacon's independent pressure sensor provides a final layer of autonomy: even if the ESC fails after arming the beacon, surface activation still occurs automatically. | Test | interface, emergency-safety, session-318, idempotency:ifc-esc-beacon-318 |
| IFC-INTERFACEDEFINITIONS-019 | The interface between the Emergency Surfacing Controller and the Vehicle Management Computer SHALL use a dedicated UART at 9600 baud transmitting ESC health status, leak sensor readings, watchdog state, and emergency battery voltage at 1 Hz. The VMC SHALL reset the Hardware Watchdog Timer via a separate dedicated GPIO line independent of the UART link. Rationale: UART at 9600 baud provides a simple, robust telemetry link for the VMC to monitor safety subsystem health during normal operations without introducing software coupling between VMC and ESC. The watchdog reset on a separate GPIO ensures that UART communication failures do not mask a genuine VMC hang — the watchdog GPIO requires active firmware execution to toggle, not just a functioning serial port. | Test | interface, emergency-safety, session-318, idempotency:ifc-esc-vmc-318 |
| IFC-INTERFACEDEFINITIONS-020 | The interface between the Battery Management System and the Emergency Surfacing Controller SHALL include a dedicated hardwired active-low signal that asserts when main battery state-of-charge falls below 5 percent or any cell voltage drops below 2.8 V, independent of the CAN bus link between BMS and VMC. Rationale: A hardwired signal independent of the CAN bus ensures the ESC receives battery critical-low notification even if the CAN bus or VMC has failed. The 5 percent SOC threshold provides sufficient remaining energy for load shedding and emergency surfacing sequence execution. The 2.8 V cell voltage threshold protects against lithium-ion cell damage from deep discharge while providing margin above the 2.5 V disconnect threshold in SUB-FUNC-010. | Test | interface, emergency-safety, session-318, idempotency:ifc-bms-esc-318 |
| IFC-INTERFACEDEFINITIONS-021 | The interface between the Multibeam Echosounder and the Sensor Payload Processor SHALL transfer raw bathymetric ping data including per-beam depth, intensity, and optional water-column samples via Ethernet UDP at a sustained rate of at least 150 MB/s with packet loss not exceeding 0.001 percent. Rationale: Ethernet UDP is standard for high-bandwidth sonar data transfer (Kongsberg EM2040, Teledyne Reson T50). 150 MB/s accommodates 256-beam pings with water column at 10 Hz ping rate. 0.001% packet loss ensures bathymetric data continuity for IHO-compliant surveys. | Test | interface, sensor-payload, session-319, idempotency:ifc-mbes-spp-319 |
| IFC-INTERFACEDEFINITIONS-022 | The interface between the Digital Still Camera and the Sensor Payload Processor SHALL transfer uncompressed 24-megapixel images via GigE Vision protocol with hardware trigger synchronisation signal and exposure-complete acknowledgement, at frame rates up to 10 Hz. Rationale: GigE Vision is the industrial standard for machine vision data transfer providing deterministic triggering. Hardware trigger sync ensures the shutter event is timestamped at the PPS-disciplined clock, not at the software receive time, eliminating camera-to-navigation time offset. | Test | interface, sensor-payload, session-319, idempotency:ifc-camera-spp-319 |
| IFC-INTERFACEDEFINITIONS-023 | The interface between the CTD Sensor Package and the Sensor Payload Processor SHALL transfer conductivity, temperature, and pressure measurements at 24 Hz via RS-232 at 115200 baud using the sensor manufacturer ASCII telegram format. Rationale: RS-232 is the standard CTD interface used by Sea-Bird and RBR instruments. 115200 baud provides adequate bandwidth for 24 Hz sample triplets. ASCII telegram format enables field-swappable CTD replacement without firmware changes. | Test | interface, sensor-payload, session-319, idempotency:ifc-ctd-spp-319 |
| IFC-INTERFACEDEFINITIONS-024 | The interface between the CTD Sensor Package and the Multibeam Echosounder SHALL provide real-time sound velocity at the transducer face, updated at least once per second, via RS-232 serial link at 9600 baud using the standard SVP telegram format. Rationale: Direct CTD-to-MBES sound velocity link provides the transducer-face value needed for beamforming with less than 100ms latency. 1 Hz update rate is sufficient because sound velocity at a fixed depth changes slowly. Separate from the CTD-to-processor link to maintain independence of the beamforming correction path. | Test | interface, sensor-payload, session-319, idempotency:ifc-ctd-mbes-319 |
| IFC-INTERFACEDEFINITIONS-025 | The interface between the Sensor Payload Processor and the Mass Storage Array SHALL transfer sensor data via PCIe Gen3 x4 NVMe protocol at sustained sequential write throughput of at least 200 MB/s with write latency not exceeding 500 microseconds at the 99th percentile. Rationale: PCIe NVMe provides the lowest-latency high-bandwidth storage interface, critical for sustaining 200 MB/s concurrent write from multiple sensor streams without buffer overflow. 500 microsecond P99 write latency prevents write stalls that would cause sensor data buffer drops. | Test | interface, sensor-payload, session-319, idempotency:ifc-spp-msa-319 |
| IFC-INTERFACEDEFINITIONS-026 | The interface between the Sensor Payload Processor and the Vehicle Management Computer SHALL use Gigabit Ethernet with a defined message set for mission control commands, sensor health telemetry at 1 Hz, and post-mission data offload at a minimum of 100 MB/s. Rationale: GbE provides adequate bandwidth for both real-time telemetry and bulk data offload. 1 Hz health telemetry enables VMC to detect sensor faults within the mission replanning cycle. 100 MB/s offload rate allows transferring a full 4 TB mission dataset within 12 hours via the communications subsystem. | Test | interface, sensor-payload, session-319, idempotency:ifc-spp-vmc-319 |
| IFC-INTERFACEDEFINITIONS-027 | The interface between the Acoustic Modem and the Communications Controller SHALL transfer variable-length data packets up to 256 bytes via RS-232 at 19200 baud, with CRC-16 error detection on each packet. Rationale: RS-232 at 19200 baud is standard for acoustic modem command interfaces (EvoLogics, LinkQuest). 256-byte max packet matches typical acoustic modem MTU. CRC-16 provides error detection on the serial link distinct from the acoustic channel FEC. | Test | interface, communications, session-319, idempotency:ifc-amodem-cc-319 |
| IFC-INTERFACEDEFINITIONS-028 | The interface between the Iridium SBD Transceiver and the Communications Controller SHALL use 3.3V UART at 19200 baud with AT command protocol, supporting Mobile Originated messages up to 340 bytes and Mobile Terminated messages up to 270 bytes. Rationale: AT command interface over UART is the standard Iridium 9603N transceiver interface. MO/MT message sizes are fixed by the Iridium SBD protocol specification. | Test | interface, communications, session-319, idempotency:ifc-iridium-cc-319 |
| IFC-INTERFACEDEFINITIONS-029 | The interface between the Wi-Fi Radio Module and the Communications Controller SHALL use Gigabit Ethernet with TCP for reliable bulk data transfer and UDP for real-time telemetry forwarding, supporting concurrent operation of both protocols. Rationale: TCP for bulk transfer ensures data integrity during multi-hour offload sessions. UDP for telemetry minimises latency for time-critical status updates. Both protocols must operate concurrently to allow monitoring during data offload. | Test | interface, communications, session-319, idempotency:ifc-wifi-cc-319 |
| IFC-INTERFACEDEFINITIONS-030 | The interface between the Communications Controller and the Vehicle Management Computer SHALL use Gigabit Ethernet with a defined message set including mission commands, telemetry relay, link status at 1 Hz, and data offload routing, with message delivery confirmation for all safety-critical commands. Rationale: GbE matches the VMC internal network standard. 1 Hz link status enables VMC to select appropriate communication strategy. Delivery confirmation for safety-critical commands (abort, surface) ensures the operator knows the command reached the vehicle. | Test | interface, communications, session-319, idempotency:ifc-cc-vmc-319 |
| IFC-INTERFACEDEFINITIONS-031 | The interface between the Surface GPS Antenna Module and the Navigation Processor SHALL deliver NMEA 0183 position and PPS time synchronisation data via RS-232 at 9600 baud within 100 ms of GPS fix acquisition, with the PPS signal providing UTC epoch alignment accurate to 100 nanoseconds for navigation filter time-stamping. Rationale: SUB-FUNC-007 specifies GPS fix acquisition within 60 seconds and 100 ns time accuracy, but no interface requirement existed to define how GPS data reaches the navigation processor. The PPS signal is essential for disciplining the navigation filter clock and for cross-sensor timestamp alignment. RS-232 at 9600 baud is standard for NMEA output on marine GPS receivers. | Test | interface, navigation, gps, validation, session-321 |
| IFC-INTERFACEDEFINITIONS-032 | The interface between the Vehicle Management Computer and the Navigation Processor SHALL transmit mission waypoint updates and guidance mode commands via Ethernet UDP at a minimum rate of 1 Hz, and the Navigation Processor SHALL acknowledge each waypoint acceptance within 50 ms including confirmation of waypoint coordinate validity check. Rationale: The VMC executes the mission plan and must command the navigation processor with waypoint targets and guidance mode transitions. Without this interface, there is no defined mechanism for the VMC to direct the vehicle along its survey path. The acknowledgement loop ensures the navigation processor has validated each waypoint before the VMC advances the mission sequence. | Test | interface, navigation, guidance, validation, session-321 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-ARCHITECTUREDECISIONS-001 | ARC: Navigation and Guidance Subsystem — Multi-sensor fusion with INS-primary architecture chosen over pure acoustic navigation. The FOG-based INS provides continuous high-rate dead-reckoning that is bounded by DVL bottom-track for near-seafloor operations and USBL transponder fixes for mid-water transits. This topology tolerates loss of any single aiding source while maintaining sub-meter accuracy for survey-grade bathymetry registration. Alternative of SLAM-based navigation rejected due to featureless abyssal terrain in target operating environment. Rationale: GPS-denied environment at depth demands autonomous dead-reckoning with periodic recalibration. INS-primary architecture is proven in oceanographic AUVs and provides deterministic worst-case drift bounds needed for survey data georeferencing. | Analysis | architecture, informational, session-320 |
| ARC-ARCHITECTUREDECISIONS-002 | ARC: Power Subsystem — Pressure-compensated oil-filled battery enclosure chosen over pressure vessel approach. Oil compensation eliminates the mass penalty of a thick-walled pressure housing at 6000m depth while providing thermal coupling for passive cell cooling. NCA cell chemistry selected over LFP for energy density (250 Wh/kg vs 160 Wh/kg), accepting the higher thermal runaway risk mitigated by per-cell monitoring and independent hardware protection. Centralised PDU with solid-state switching preferred over distributed fusing to enable VMC-commanded load shedding for mission extension. Rationale: 6000m depth rating at 350kg dry mass budget demands maximum energy density. Oil compensation is standard practice for deep-rated AUV battery packs and avoids the 40kg pressure housing mass penalty that would reduce payload capacity. | Analysis | architecture, informational, session-320 |
| ARC-ARCHITECTUREDECISIONS-004 | ARC: Propulsion Subsystem — Magnetic coupling and oil-compensated motor chosen over direct-drive shaft seal. The 6000m depth rating makes rotary shaft seals unreliable at 600 bar; magnetic coupling eliminates the dynamic seal at the cost of 5 percent torque transfer efficiency. Oil-filled motor housing equalises pressure. Separate control surface actuators chosen over vectored thrust for maneuvering. Buoyancy trim system included to decouple depth control from propulsive power for silent depth holds. Rationale: Deep-rated AUV propulsion must solve the shaft seal problem at 600 bar. Magnetic coupling is proven to 6500m. The acoustic noise constraint of 130 dB drives FOC commutation and fixed-pitch propeller choice. | Analysis | architecture, informational, session-320 |
| ARC-ARCHITECTUREDECISIONS-005 | ARC: Emergency and Safety Subsystem — Independent emergency surfacing controller architecture chosen over VMC-integrated safety functions. The ESC is a separate processor on a dedicated emergency power rail, ensuring that VMC failure, main battery depletion, or software faults cannot prevent emergency surfacing. This separation follows IEC 61508 principles of functional independence between the control system and its safety function. A burn-wire backup release on the drop weight mechanism provides a tertiary path independent of both VMC and ESC. The trade-off is added mass, complexity, and cost of a redundant processor and battery, but this is justified by the 6000m operating depth where recovery of a stranded vehicle is impractical. Rationale: At 6000m depth, vehicle loss from a failed emergency surfacing is catastrophic and unrecoverable. Functional independence between control (VMC) and safety (ESC) is mandated by IEC 61508 SIL 2 principles and is standard practice in deep-rated AUVs. The burn-wire tertiary path addresses common-cause failure of electronic release mechanisms. | Inspection | architecture, informational, session-320 |
| ARC-ARCHITECTUREDECISIONS-006 | ARC: Sensor Payload Subsystem — Centralised payload processor architecture chosen over distributed per-sensor processing. All three sensor types (MBES, camera, CTD) feed raw data to a single x86 compute module that handles time-stamping against PPS-disciplined clock, real-time georeferencing using the navigation solution, and write scheduling to RAID-1 NVMe storage. Centralised approach was chosen because: (1) a single PPS-synchronised clock source eliminates inter-sensor timestamp drift that plagued distributed architectures in the Hugin 1000 and REMUS 6000 designs; (2) CTD-derived sound velocity must be applied to MBES beamforming with less than 100ms latency, which is trivial on a local bus but problematic across an Ethernet switch with variable buffering; (3) a single NVMe write scheduler can coalesce data streams to maintain the 200 MB/s sustained throughput required by the 24-hour mission without per-sensor write contention. Rationale: Centralised processing eliminates timestamp coherence issues observed in distributed AUV payload architectures and enables real-time sound velocity correction within MBES ping cycle. | Analysis | architecture, informational, session-320 |
| ARC-ARCHITECTUREDECISIONS-008 | ARC: Communications Subsystem — Three-link architecture (acoustic, satellite, Wi-Fi) with centralised controller chosen over single-link designs. Acoustic modem provides the only submerged communication path for mission status and remote abort. Iridium SBD provides global position reporting independent of vessel proximity. Wi-Fi provides high-bandwidth data offload only when surfaced near the support vessel. The communications controller implements store-and-forward buffering and automatic link selection, avoiding the reliability problems of direct VMC-to-radio interfaces where VMC reboot would lose queued messages. Rationale: Three independent links with distinct range/bandwidth characteristics cover all AUV operational states. Centralised controller with store-and-forward ensures no message loss during VMC restarts or link transitions. | Analysis | architecture, informational, session-320 |
| ARC-ARCHITECTUREDECISIONS-009 | ARC: Pressure Hull and Structure — Single-cylinder titanium hull with O-ring sealed endcaps chosen over multi-section aluminium design. Ti-6Al-4V provides superior strength-to-weight ratio at 6000m depth rating (600 bar) with thinner walls (12mm vs 18mm aluminium), leaving more internal volume for payload. Single cylinder avoids inter-section seal failure modes present in modular designs. Forward endcap integrates optical viewport and sensor penetrators; aft endcap houses the pressure-compensated shaft seal with oil reservoir. Rationale: Titanium single-cylinder design maximises payload volume fraction at 6000m depth while eliminating inter-section seal joints that are the primary leak source in modular hull designs. | Analysis | architecture, informational, session-320 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| VER-033 | Verify SUB-FUNC-010: Inject cell voltages at 4.25V, 4.26V, 2.50V, and 2.49V boundaries. Verify BMS asserts fault within 100ms for out-of-range conditions and does not false-alarm at boundary values. Inject temperature ramp from 55C to 65C and verify over-temperature assertion at 60C threshold. Monitor CAN bus for fault messages. Rationale: BMS fault detection is the first line of defence against thermal runaway — verification must confirm both detection sensitivity and freedom from false alarms at boundary conditions. | Test | verification, power, safety, session-320, idempotency:ver-bms-fault-320 |
| VER-034 | Verify SUB-FUNC-024: Command solenoid release and measure time from command assertion to confirmed ballast separation using high-speed video and load cell. Conduct 20 trials at ambient and at simulated 600 bar pressure. Verify all releases complete within 2 seconds. Measure ballast mass to confirm 15 kg tungsten payload. Rationale: Drop weight release is the primary emergency ascent mechanism — the 2-second budget derives from the 5-second total emergency response time in SYS-FUNC-003. | Test | verification, emergency, safety, session-320, idempotency:ver-drop-weight-320 |
| VER-035 | Verify SUB-FUNC-050: Subject main pressure hull cylinder to hydrostatic proof test at 900 bar (1.5x operating depth of 600 bar). Hold for 60 minutes. Monitor strain gauges at weld seams and endcap interfaces. Verify no yielding (strain below 0.2 percent at any gauge), no leakage, and no permanent deformation post-test. Rationale: Pressure hull is single-point-of-failure for vehicle survival. Proof testing at 1.5x validates the safety factor in SYS-FUNC-010 and confirms weld quality and material properties. | Test | verification, hull, safety, session-320, idempotency:ver-hull-proof-320 |
| VER-036 | Verify SUB-FUNC-049: Inject plaintext command and control messages at communications controller input. Capture output on all three links (acoustic, Iridium, Wi-Fi). Verify all transmitted messages are encrypted with AES-256-GCM or equivalent. Attempt replay of captured messages and verify rejection. Verify key rotation occurs per mission configuration. Rationale: Command encryption prevents spoofed abort or mission modification commands — a vehicle accepting forged commands in open ocean is a loss scenario. | Test | verification, comms, security, session-320, idempotency:ver-comms-encrypt-320 |
| VER-037 | Verify SUB-FUNC-032: Inject 0.5 ml water droplets at each hull penetrator sensing location. Verify detection and ESC notification within specified time at each location. Inject 0.4 ml and verify no false alarm. Repeat at temperatures from 2C to 35C to confirm detection across operating thermal range. Rationale: Leak detection is the earliest warning of pressure hull compromise — the 0.5 ml threshold must be validated at every sensing point, not just as a system-level test. | Test | verification, safety, hull, session-320, idempotency:ver-leak-detect-320 |
| VER-TEST-001 | Verify IFC-INTERFACEDEFINITIONS-001: Bench test INS-to-Navigation Processor serial link by injecting known 6-DOF motion profiles and measuring output rate, latency via hardware timestamping, and BER over 24-hour continuous operation. Pass criteria: sustained 200Hz with no samples exceeding 1ms latency and BER below 1e-9. Rationale: Integration test at component level to verify interface compliance before hull integration where access is limited. | Test | verification, navigation, session-316, idempotency:ver-ifc-ins-navproc-316 |
| VER-TEST-002 | Verify IFC-INTERFACEDEFINITIONS-002: Inject simulated DVL messages at 5Hz with known velocity vectors via RS-422 loopback test. Verify CRC-16 validation rejects corrupted messages and navigation processor correctly parses beam validity flags. Pass criteria: zero undetected corrupt messages over 10000 test cycles. Rationale: CRC integrity is safety-relevant — corrupt velocity data can cause position error accumulation without detection. | Test | verification, navigation, session-316, idempotency:ver-ifc-dvl-navproc-316 |
| VER-TEST-003 | Verify IFC-INTERFACEDEFINITIONS-003: Simulate USBL position fix messages with varying uncertainty values and measure reception latency from message injection to EKF measurement update. Pass criteria: all fixes processed within 200ms, uncertainty correctly propagated to EKF covariance. Rationale: Latency and uncertainty propagation are both critical — late fixes degrade position accuracy and incorrect uncertainty weighting causes filter inconsistency. | Test | verification, navigation, session-316, idempotency:ver-ifc-usbl-navproc-316 |
| VER-TEST-004 | Verify IFC-INTERFACEDEFINITIONS-004: Capture navigation processor UDP output at the VMC Ethernet port. Verify 50Hz message rate, measure end-to-end latency via hardware PTP timestamps, and validate all state vector fields present including uncertainty and sensor health. Pass criteria: sustained 50Hz with 99.9th percentile latency below 2ms over 1-hour test. Rationale: This is the primary navigation output interface. Latency exceedances directly impact vehicle control stability. 99.9th percentile used because deterministic real-time performance is required. | Test | verification, navigation, session-316, idempotency:ver-ifc-navproc-vmc-316 |
| VER-TEST-005 | Verify IFC-INTERFACEDEFINITIONS-005: Inject depth sensor messages at 10Hz over RS-485 with deliberate sequence counter gaps and verify navigation processor detects all gaps. Pass criteria: 100% gap detection with zero false positives over 50000 message test sequence. Rationale: Sequence counter reliability directly supports data integrity for the vertical navigation channel. False positives would trigger unnecessary fault responses. | Test | verification, navigation, session-316, idempotency:ver-ifc-depth-navproc-316 |
| VER-TEST-006 | Verify end-to-end navigation chain: Inject correlated sensor stimuli (INS rotation, DVL velocity, depth change) representing a known trajectory. Verify navigation processor output matches expected trajectory within 0.1 percent of distance travelled. Pass criteria: position error below 0.1% of total trajectory length over a simulated 4-hour mission with sensor noise profiles matching specification. Rationale: System-level integration test exercises the complete sensor-to-output chain including EKF tuning, sensor timing, and cross-sensor consistency. 4-hour subset of 24-hour mission provides statistical confidence while keeping test duration practical. | Test | verification, navigation, system-integration, session-316, idempotency:ver-sys-nav-e2e-316 |
| VER-TEST-007 | Verify IFC-INTERFACEDEFINITIONS-006: Monitor CAN bus between BMS and VMC over 24-hour simulated mission. Verify 1Hz message rate, all fields populated with valid ranges, and message delivery within 10ms of BMS sample time. Inject simulated fault conditions and verify fault flags correctly set. Pass criteria: zero missed messages, all fields within expected ranges, fault flags correctly raised within 200ms of injection. Rationale: BMS-VMC interface is safety-relevant for mission abort decisions. 24-hour test matches full mission endurance. | Test | verification, power, session-316, idempotency:ver-ifc-bms-vmc-316 |
| VER-TEST-008 | Verify IFC-INTERFACEDEFINITIONS-007: Issue load shed commands from VMC to PDU for each channel and measure execution time from command transmission to channel power-down using oscilloscope monitoring. Pass criteria: all channels respond within 50ms, acknowledgement received within 100ms, non-commanded channels maintain voltage within 2 percent of nominal. Rationale: Load shedding timing and channel isolation are critical for preventing cascading power failures during emergency energy management. | Test | verification, power, session-316, idempotency:ver-ifc-vmc-pdu-316 |
| VER-TEST-009 | Verify IFC-INTERFACEDEFINITIONS-008: Connect Motor Drive Electronics to BLDC Motor via production cable harness. Measure phase current waveform with current probe at 20 kHz sample rate and verify sinusoidal shape with THD below 5 percent. Verify Hall-effect feedback signal integrity by measuring at Motor Drive Electronics input with oscilloscope. Pass criteria: 3-phase current balanced within 3 percent, Hall feedback transitions clean with rise time below 1 us, no EMI-induced false transitions over 1-hour continuous run. Rationale: Integration test at the most critical internal propulsion interface. Validates both power delivery quality and feedback signal integrity under realistic operating conditions. | Test | verification, propulsion, session-317 |
| VER-TEST-010 | Verify IFC-INTERFACEDEFINITIONS-009: Transmit speed command sequence from VMC over CAN bus to Motor Drive Electronics. Verify command receipt by monitoring CAN traffic with bus analyser. Confirm motor telemetry frames received at VMC at 10 Hz with all fields populated. Pass criteria: zero CAN frame loss over 10000 consecutive frames, command-to-execution latency below 50 ms, telemetry update jitter below 20 ms. Rationale: CAN bus reliability between VMC and motor drive is critical for propulsion control. Frame loss or excessive latency would cause speed oscillations affecting survey quality. | Test | verification, propulsion, session-317 |
| VER-TEST-011 | Verify IFC-INTERFACEDEFINITIONS-010: Command each control fin to a sequence of deflection angles from VMC and measure actual fin position with external encoder. Pass criteria: commanded vs actual position error below 0.2 degrees across full range, position feedback CAN frames received at 10 Hz with zero frame loss over 5000 frames, health status fields report nominal for all actuators. Rationale: Control surface interface accuracy directly affects trajectory tracking. This test validates the complete command chain from VMC through CAN to actuator and back. | Test | verification, propulsion, session-317 |
| VER-TEST-012 | Verify IFC-INTERFACEDEFINITIONS-011: Command Buoyancy Trim System to transfer oil from internal to external bladder and back. Monitor CAN messages at VMC for oil volume position, pump pressure, and fault status updates at 1 Hz. Pass criteria: oil volume readings track commanded offset within 5 percent, pump pressure reported accurately against reference gauge, 1 Hz telemetry sustained with no dropout over 30-minute cycle. Rationale: Buoyancy trim interface validation ensures the VMC can monitor and control depth trim. The 30-minute test duration covers multiple full trim cycles. | Test | verification, propulsion, session-317 |
| VER-TEST-013 | Verify end-to-end propulsion chain: Command VMC to execute a simulated survey transit at 3-knot cruise speed for 60 minutes. Measure actual vehicle speed, motor RPM, power consumption, control surface activity, and radiated noise simultaneously. Pass criteria: speed maintained within 0.1 knots of commanded, total electrical power draw below 350 W, radiated noise below 130 dB re 1 uPa at 1 m in 10 Hz to 1 kHz band, no fault conditions reported by any propulsion component. Rationale: System-level integration test exercises the complete propulsion chain from VMC command through motor drive, motor, propeller thrust generation, and control surface steering. Validates that component-level specifications compose into compliant system-level performance. | Demonstration | verification, propulsion, integration, session-317 |
| VER-TEST-014 | Verify IFC-INTERFACEDEFINITIONS-014: Connect leak detection sensor array to ESC via I2C bus and inject simulated water contact at each sensor zone. Verify hardware interrupt asserts within 500 ms of water contact. Verify ESC polling reads correct sensor status at 2 Hz. Inject humidity ramp to 90 percent RH over 120 seconds and verify condensation alarm is raised only after 60-second sustained threshold. Pass: all zones report correctly, no false alarms from condensation ramp. Rationale: Integration test to verify leak detection interface operates correctly at both the interrupt-driven and polling paths, and that condensation discrimination prevents false emergency surfacing. | Test | verification, emergency-safety, session-318 |
| VER-TEST-015 | Verify IFC-INTERFACEDEFINITIONS-015: With VMC heartbeat running, verify watchdog GPIO remains high. Cease heartbeat and measure time from last pulse to ESC interrupt assertion. Pass: timeout occurs at 30 plus or minus 1 seconds, GPIO transitions from high to low, ESC receives interrupt through voting circuit within 100 ms of GPIO transition. Rationale: Confirms the watchdog timeout mechanism works end-to-end from heartbeat cessation through GPIO transition to ESC interrupt, verifying the fail-safe active-low open-drain topology. | Test | verification, emergency-safety, session-318 |
| VER-TEST-016 | Verify IFC-INTERFACEDEFINITIONS-016: Command ESC to activate primary solenoid release. Measure solenoid drive voltage (24 V plus or minus 5 percent), current (2 A plus or minus 10 percent), and verify ballast-away confirmation within 2 seconds. Simulate primary release failure by disconnecting confirmation signal, verify ESC escalates to burn-wire activation within 5 seconds. Measure burn-wire current (5 A at 12 V). Pass: both release paths function, confirmation feedback loop closes correctly. Rationale: Full-path test of both release mechanisms and the escalation logic, verifying the diverse redundancy architecture. Tests both the nominal path and the failure escalation path. | Test | verification, emergency-safety, session-318 |
| VER-TEST-017 | Verify IFC-INTERFACEDEFINITIONS-017: Command ESC to activate acoustic emergency pinger. Verify activation line latches. Disconnect ESC power and verify pinger continues transmitting. Measure pinger output at 37.5 kHz, verify source level exceeds 185 dB re 1 uPa at 1 m using calibrated hydrophone. Pass: pinger activates, latches, and sustains operation independently. Rationale: Confirms the latching activation and power-independent operation that enables 90-day seabed localisation even after complete vehicle power loss. | Test | verification, emergency-safety, session-318 |
| VER-TEST-018 | Verify IFC-INTERFACEDEFINITIONS-018: Command ESC to arm the Emergency Locator Beacon. Simulate surface conditions by reducing ambient pressure below 1.5 bar. Verify beacon self-activates within 10 seconds of pressure threshold crossing. Verify AIS SART transmission on 156.525 MHz using AIS receiver. Verify xenon strobe illumination. Pass: arming, pressure detection, and self-activation sequence completes correctly. Rationale: End-to-end verification of the two-stage arming/activation architecture that prevents premature beacon activation at depth while ensuring autonomous surface activation. | Test | verification, emergency-safety, session-318 |
| VER-TEST-019 | Verify IFC-INTERFACEDEFINITIONS-019: Monitor UART output from ESC at VMC serial port. Verify 1 Hz message rate with correct framing. Inject known leak sensor state and watchdog state, verify VMC receives correct telemetry values. Verify watchdog reset GPIO toggle is independent of UART link by disconnecting UART and confirming watchdog continues to receive heartbeat. Pass: telemetry data correct, watchdog independence confirmed. Rationale: Confirms the separation between telemetry (UART) and safety-critical watchdog reset (GPIO) paths, ensuring that a UART failure cannot mask a genuine VMC hang. | Test | verification, emergency-safety, session-318 |
| VER-TEST-020 | Verify IFC-INTERFACEDEFINITIONS-020: Simulate main battery discharge to 5 percent SOC and verify BMS asserts hardwired critical-low signal to ESC. Simulate single cell dropping to 2.8 V and verify signal asserts. Disconnect CAN bus between BMS and VMC and verify hardwired signal still functions. Pass: hardwired signal asserts at both SOC and cell voltage thresholds, operates independently of CAN bus. Rationale: Confirms the hardwired battery critical signal operates independently of the CAN bus data link, ensuring the ESC receives battery critical notification even during a CAN bus or VMC failure. | Test | verification, emergency-safety, session-318 |
| VER-TEST-021 | Verify end-to-end emergency surfacing chain: Cease VMC heartbeat to trigger watchdog timeout. Verify ESC initiates emergency sequence within 500 ms of timeout: drop weight release command issued, non-essential loads shed via PDU, acoustic pinger activated. Simulate surfacing (pressure < 1.5 bar) and verify beacon self-activates. Measure total elapsed time from watchdog timeout to full emergency configuration. Pass: complete sequence executes within 10 seconds, all subsystems reach correct emergency state. Rationale: System-level integration test exercising the complete emergency chain from fault detection through recovery aid activation, verifying that the independent safety architecture functions as designed under simulated conditions. | Test | verification, emergency-safety, session-318 |
| VER-TEST-022 | Verify IFC-INTERFACEDEFINITIONS-021: Connect MBES to payload processor via production Ethernet link. Inject simulated 256-beam ping data at 10 Hz. Measure sustained throughput using network tap and verify at least 150 MB/s with packet capture confirming less than 0.001 percent loss over 1-hour test. Rationale: Integration test verifying the highest-bandwidth sensor interface can sustain peak data rate without packet loss over mission-representative duration. | Test | verification, sensor-payload, session-319 |
| VER-TEST-023 | Verify IFC-INTERFACEDEFINITIONS-022: Trigger camera via hardware trigger at 10 Hz. Capture 100 consecutive frames and verify all 24MP images are received complete via GigE Vision. Measure trigger-to-timestamp offset and verify less than 1 ms jitter. Rationale: Validates hardware trigger synchronisation path which is critical for georeferencing accuracy. 100-frame burst at max rate exercises the sustained transfer capability. | Test | verification, sensor-payload, session-319 |
| VER-TEST-024 | Verify IFC-INTERFACEDEFINITIONS-023: Connect CTD to payload processor via RS-232 at 115200 baud. Verify 24 Hz sample reception with no dropped telegrams over 1-hour test. Validate parsed C, T, P values against reference standards within stated accuracy. Rationale: RS-232 link verification confirms both electrical connectivity and telegram parsing. 1-hour duration proves sustained operation without serial buffer overrun. | Test | verification, sensor-payload, session-319 |
| VER-TEST-025 | Verify IFC-INTERFACEDEFINITIONS-024: Inject a step change in sound velocity at the CTD output. Verify the MBES receives the updated SVP telegram within 1 second and applies it to the next ping cycle. Confirm by comparing beam depths before and after the step change against expected refraction correction. Rationale: Validates the real-time SVP correction path. Step-change test is the clearest way to confirm the MBES is actively using the CTD-provided sound velocity rather than a stale value. | Test | verification, sensor-payload, session-319 |
| VER-TEST-026 | Verify IFC-INTERFACEDEFINITIONS-025: Run concurrent simulated sensor data streams at aggregate 200 MB/s to Mass Storage Array for 1 hour. Verify sustained write throughput via NVMe SMART counters and confirm 99th percentile write latency is below 500 microseconds using IO tracing. Rationale: Most critical storage path test. 1-hour duration at peak rate confirms no thermal throttling or firmware write amplification degrades throughput during sustained operation. | Test | verification, sensor-payload, session-319 |
| VER-TEST-027 | Verify IFC-INTERFACEDEFINITIONS-026: Monitor SPP health telemetry at VMC Ethernet port and verify 1 Hz message rate with all defined fields populated. Then initiate bulk data offload and measure sustained transfer rate exceeding 100 MB/s over 10 GB test dataset. Rationale: Dual-purpose test validates both real-time telemetry path and post-mission offload capability. 10 GB dataset is representative of a partial offload scenario. | Test | verification, sensor-payload, session-319 |
| VER-TEST-028 | Verify end-to-end sensor payload chain: Activate all three sensors (MBES, camera, CTD) simultaneously via VMC mission command. Verify concurrent data acquisition with PPS-synchronised timestamps across all streams. Run for 30 minutes at survey speed and confirm at least 200 MB/s sustained write to storage with all data georeferenced and no dropped samples on any channel. Rationale: System-level integration test exercising the full stimulus-to-storage chain under realistic concurrent load. 30-minute duration validates thermal and buffer stability. | Test | verification, sensor-payload, integration, session-319 |
| VER-TEST-029 | Verify IFC-INTERFACEDEFINITIONS-027: Transmit 1000 test packets of varying size (1 to 256 bytes) from acoustic modem to communications controller via RS-232 at 19200 baud. Verify all packets received with correct CRC-16 and no data corruption. Measure packet delivery latency. Rationale: Exercises the full packet size range and validates CRC-16 error detection on the serial link. | Test | verification, communications, session-319 |
| VER-TEST-030 | Verify IFC-INTERFACEDEFINITIONS-028: Command Iridium SBD transceiver to send a 340-byte MO message and receive a 270-byte MT message via the communications controller AT command interface. Verify correct message content and confirm UART timing at 19200 baud. Rationale: Validates MO/MT message handling at maximum payload size through the AT command protocol. | Test | verification, communications, session-319 |
| VER-TEST-031 | Verify IFC-INTERFACEDEFINITIONS-029: Initiate concurrent TCP bulk transfer at 100 MB/s and UDP telemetry at 1 Hz between Wi-Fi radio module and communications controller. Verify TCP transfer completes without error and UDP telemetry is received at 1 Hz with less than 5ms jitter throughout the bulk transfer. Rationale: Validates concurrent protocol operation under load — the primary failure mode for Wi-Fi offload is telemetry dropping during bulk transfer. | Test | verification, communications, session-319 |
| VER-TEST-032 | Verify IFC-INTERFACEDEFINITIONS-030: Send a safety-critical abort command from VMC to communications controller. Verify delivery confirmation is returned within 100 ms. Then simulate a VMC restart and verify the communications controller retains its message buffer and resumes forwarding upon VMC reconnection. Rationale: Validates the most critical command path and the store-and-forward resilience across VMC restart, which is the key architectural differentiator of the centralised controller design. | Test | verification, communications, session-319 |
| VER-TEST-039 | Verify SUB-FUNC-027: Disconnect main battery pack and primary power bus. Verify Emergency Surfacing Controller continues operation on dedicated emergency battery. Monitor ESC status outputs for 48 continuous hours. Verify all safety functions remain operational throughout including leak sensor polling, watchdog monitoring, and drop weight release command capability. Pass criteria: ESC maintains full functionality for 48 hours minimum on emergency battery alone. Rationale: The ESC must operate independently of the main power system. This test verifies the dedicated emergency battery provides 48-hour endurance, the minimum time for a surface vessel to locate and recover a surfaced AUV in remote ocean areas. | Test | verification, safety, emergency, validation, session-321 |
| VER-TEST-040 | Verify SUB-FUNC-028: Inject single-channel fault signals of 50 ms and 150 ms duration on each of the three input channels for watchdog timeout, leak detection, and battery critical. Verify that 50 ms transients on a single channel are rejected. Verify that 150 ms signals on two of three channels trigger the emergency sequence. Pass criteria: zero false triggers from single-channel transients below 100 ms, correct two-of-three voting for all signal combinations. Rationale: The majority voting logic is the primary defence against false emergency surfacing events which abort the mission. Testing must verify both correct rejection of transients and correct assertion of genuine multi-channel faults across all three safety input types. | Test | verification, safety, voting, validation, session-321 |
| VER-TEST-041 | Verify SUB-FUNC-004: Inject progressively degraded sensor data into each navigation input individually and in combination. Measure fault detection latency from injection to sensor exclusion. Verify navigation solution remains valid after exclusion. Pass criteria: all faults detected within 500 ms, navigation solution continuity maintained with position accuracy within 0.5 percent of distance travelled after any single sensor exclusion. Rationale: A navigation processor that incorporates faulty sensor data generates erroneous position estimates leading to off-track survey or seabed collision. The 500 ms detection window must be verified for each sensor with realistic fault signatures. | Test | verification, navigation, fault-detection, validation, session-321 |
| VER-TEST-042 | Verify SUB-FUNC-025: Disable primary solenoid release. Command burn-wire activation via ESC backup circuit. Measure time from burn-wire energisation to confirmed ballast release at temperatures of 2C and 30C in environmental chamber. Conduct 10 trials at each extreme. Pass criteria: all releases complete within 15 seconds at 2C worst case, burn-wire circuit electrical isolation from primary release confirmed. Rationale: The burn-wire is the last-resort recovery mechanism. Temperature directly affects nichrome wire heating rate. Testing at extremes verifies the 15-second budget under worst-case thermal conditions. | Test | verification, safety, emergency, validation, session-321 |
flowchart TB n0["component<br>Lithium-Ion Battery Pack"] n1["component<br>Battery Management System"] n2["component<br>Power Distribution Unit"] n3["component<br>DC-DC Converter Module"] n4["external<br>Vehicle Management Computer"] n5["external<br>Subsystem Loads"] n0 -->|48V DC bus| n2 n1 -->|Cell monitoring and protection| n0 n2 -->|Switched 48V| n3 n3 -->|24V, 12V, 5V rails| n5 n1 -->|SOC and battery status| n4 n4 -->|Load shed commands| n2
Power Subsystem — Internal
flowchart TB n0["controller<br>Motor Drive Electronics"] n1["actuator<br>Brushless DC Propulsion Motor"] n2["mechanism<br>Propeller and Shaft Assembly"] n3["actuator<br>Control Surface Actuator Assembly"] n4["actuator<br>Buoyancy Trim System"] n5["external<br>Vehicle Management Computer"] n6["external<br>Power Distribution Unit"] n5 -->|CAN: speed/torque cmds| n0 n0 -->|3-phase commutated power| n1 n1 -->|torque via magnetic coupling| n2 n5 -->|CAN: fin deflection cmds| n3 n5 -->|CAN: buoyancy offset cmds| n4 n6 -->|48V DC power| n0 n6 -->|24V DC power| n3 n6 -->|48V DC power| n4
Propulsion Subsystem — Internal
flowchart TB n0["component<br>Emergency Surfacing Controller"] n1["component<br>Drop Weight Release Mechanism"] n2["component<br>Hardware Watchdog Timer"] n3["component<br>Leak Detection Sensor Array"] n4["component<br>Emergency Locator Beacon"] n5["component<br>Acoustic Emergency Pinger"] n6["component<br>Emergency Battery"] n7["external<br>Vehicle Management Computer"] n8["external<br>Battery Management System"] n2 -->|GPIO timeout interrupt| n0 n3 -->|I2C leak alarm| n0 n8 -->|Hardwired battery critical-low| n0 n7 -->|Heartbeat and abort command| n0 n0 -->|Solenoid and burn-wire release| n1 n0 -->|Activation line| n5 n0 -->|Arming line| n4 n6 -->|Independent power| n0 n7 -->|30s heartbeat pulse| n2 n0 -->|UART health telemetry| n7
Emergency and Safety Subsystem — Internal
flowchart TB n0["component<br>Acoustic Modem"] n1["component<br>Iridium SBD Transceiver"] n2["component<br>Wi-Fi Radio Module"] n3["component<br>Communications Controller"] n0 -->|Acoustic telemetry via RS-232| n3 n1 -->|SBD messages via UART| n3 n2 -->|Data offload via Ethernet| n3
Communications Subsystem — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Acoustic Emergency Pinger | D6C54218 | Underwater acoustic beacon operating at 37.5 kHz for location of a lost AUV on the seabed, compatible with standard naval and commercial acoustic search receivers. Source level 185 dB re 1 uPa at 1m. Pulse repetition rate 1 pulse per second, pulse duration 10ms. Powered by lithium primary cell providing 90 days continuous operation. Pressure-rated to 700 bar (7000m) for operation at full ocean depth. Activated by Emergency Surfacing Controller on mission abort if vehicle fails to achieve positive buoyancy. Also serves as tracking aid during normal recovery operations. |
| Acoustic Modem | D4F57018 | Mid-frequency (9-14 kHz) underwater acoustic modem providing half-duplex digital communication at up to 3 kbps over ranges to 5 km. Supports both command/telemetry messaging and ranging for USBL position aiding. Operates from 6000m depth. Used for vehicle-to-surface communication during submerged survey operations on an AUV, enabling mission status updates and remote abort commands without surfacing. |
| Aft Endcap and Shaft Seal Assembly | CE851018 | Titanium endcap housing the propeller shaft mechanical seal (double-lip rotary seal with oil-filled cavity), motor power penetrators, and aft sensor penetrators. Includes pressure-compensated oil reservoir maintaining 0.5 bar overpressure at the shaft seal to prevent water ingress at depth. Depth rated to 6000m. Critical seal interface between the flooded aft section and dry pressure hull interior. |
| Autonomous Underwater Vehicle | DFF75018 | Unmanned submersible platform designed for deep-sea survey, inspection, and environmental monitoring missions at depths to 6000m. Operates autonomously for 24-72 hour missions using lithium-polymer battery power with inertial/acoustic navigation (no GPS underwater). Integrates forward-looking sonar, multibeam bathymetry, HD cameras, CTD sensors, and mission-specific payloads. Communicates via acoustic modem subsea and RF/satellite on surface. Must withstand 600 bar pressure, near-freezing temperatures, and biofouling. Safety-critical: must surface autonomously on any fault that could lead to vehicle loss. |
| Battery Management System | 55F77A19 | Safety-critical controller monitoring lithium-ion battery pack health. Performs cell voltage monitoring, temperature sensing, state-of-charge estimation via coulomb counting with Kalman filter correction, and fault detection including over-current, over-temperature, and cell imbalance. Provides remaining energy estimates to vehicle management computer for mission abort decisions. Independent hardware protection circuit for over-voltage and thermal runaway prevention. |
| Brushless DC Propulsion Motor | D7C51018 | Oil-filled, pressure-compensated brushless DC motor serving as the primary thrust actuator for a 6000m-rated autonomous underwater vehicle. Operates at depths to 6000m with external hydrostatic pressure up to 600 bar. Provides approximately 200W continuous power at 3-knot cruise and 800W peak for maneuvering in currents. Oil-compensated housing eliminates pressure differential across seals. Must meet stringent acoustic noise limits (<130 dB re 1µPa at 1m in 10Hz-1kHz band). Interfaces with motor drive electronics via 3-phase power cables and Hall-effect sensor feedback. |
| Buoyancy Trim System | 53F53208 | Oil-hydraulic variable buoyancy system for a 6000m-rated AUV providing static buoyancy adjustment and fine depth control. Transfers hydraulic oil between an internal reservoir (within the pressure hull) and an external elastomeric bladder to change vehicle displacement by up to ±2kg equivalent. Uses a high-pressure hydraulic pump capable of operating against 600 bar ambient pressure. Provides trim authority for compensating payload changes, water density variations with depth and salinity, and low-speed depth holding without propulsive thrust. Controlled by the Vehicle Management Computer, which commands target buoyancy offset based on depth error and vertical velocity. Pump draws approximately 150W during active trimming. |
| Communications Controller | 51F77008 | Embedded ARM processor running message routing firmware. Manages all external communications interfaces: acoustic modem (submerged), Iridium SBD (surfaced), and Wi-Fi (surfaced near vessel). Handles message prioritisation, store-and-forward buffering for intermittent links, encryption of command channels, and automatic link selection based on vehicle state (submerged, surfaced, near vessel). Interfaces to VMC via internal Ethernet for command relay and telemetry forwarding. |
| Communications Subsystem | 54E57018 | Dual-domain communications for AUV operating subsea and at surface. Underwater: 10kHz acoustic modem providing 1kbps data link to surface vessel at ranges up to 5km, used for status telemetry, mission updates, and emergency recall commands. Surface: WiFi (802.11n) for high-bandwidth data offload when within 200m of support vessel, Iridium SBD satellite modem for position reporting and mission status when operating beyond vessel range. Emergency locator beacon (EPIRB) on 406MHz with GPS for post-loss recovery. Acoustic transponder for USBL tracking integration with navigation subsystem. |
| Control Surface Actuator Assembly | D7F51018 | Servo-driven rudder and elevator fin actuators mounted on the AUV tail section for 3-axis attitude and trajectory control. Each fin is driven by a brushless servo motor in an oil-filled housing rated to 600 bar. Provides pitch, yaw, and roll authority for waypoint tracking, depth changes, and obstacle avoidance. Fin deflection range ±30 degrees with 0.1-degree resolution and 200ms full-sweep response time. Receives heading, depth, and attitude commands from Vehicle Management Computer at 10Hz update rate. Critical for maintaining survey track accuracy during multibeam bathymetry operations where cross-track deviation must stay within 2m. |
| CTD Sensor Package | D6851018 | Integrated conductivity-temperature-depth sensor measuring seawater salinity (0-42 PSU, accuracy 0.003 PSU), temperature (-2 to 35 deg C, accuracy 0.001 deg C), and pressure (0-6500 dbar, accuracy 0.01% FS). Pumped flow path with anti-fouling guard. Samples at 24 Hz for sound velocity profile computation used to correct multibeam echosounder beamforming. Also records water column profiles for oceanographic survey data products. |
| DC-DC Converter Module | D6C51018 | High-efficiency isolated DC-DC converters stepping down 48V battery bus to 24V, 12V, and 5V regulated rails. Combined efficiency above 94 percent across load range. Operates in oil-filled pressure-compensated enclosure at depths to 6000m. Input voltage range 38-58V to accommodate battery discharge curve. Output regulation within 1 percent under transient loads. Total rated output 350W continuous. |
| Depth Pressure Sensor | D4C55018 | Paroscientific Digiquartz pressure transducer providing depth measurement from 0 to 6500m with accuracy of 0.01% full scale (0.65m). Temperature-compensated with response time under 50ms. Provides both depth for navigation and pressure for hull integrity monitoring. Connected to navigation processor via RS-485 serial interface at 10Hz output rate. |
| Digital Still Camera with LED Illumination | D6C51008 | Downward-looking 24-megapixel CMOS camera with integrated 4-LED array providing 12000 lumens. Captures georeferenced seabed imagery at 2cm/pixel resolution from 5m altitude. Triggered by sensor payload processor at configurable interval (1-10 Hz) synchronised to navigation fixes. Titanium pressure housing rated to 6000m. Provides optical ground-truth imagery for AUV survey missions complementing acoustic bathymetry data. |
| Doppler Velocity Log | D4C51018 | Acoustic bottom-tracking DVL operating at 300kHz with 4-beam Janus configuration. Provides ground-referenced velocity measurements accurate to 0.3% of speed at ranges up to 200m altitude. Used to bound INS drift during near-bottom survey operations. Outputs 3-axis velocity at 5 Hz. Also provides altitude measurement for terrain-following. Transducer array flush-mounted in hull with acoustic window. |
| Drop Weight Release Mechanism | D6C51018 | Electromechanical ballast jettison system for emergency positive buoyancy recovery of a 350kg AUV rated to 6000m depth. Primary release via solenoid latch drawing 2A at 24V; backup release via nichrome burn-wire activated independently by the Emergency Surfacing Controller. Drops a 15kg tungsten ballast mass to achieve positive buoyancy of approximately 8kg net. Release time under 2 seconds from command. Must function reliably after 6000m pressure soak and extended dormancy. Single-use per mission; reloaded on deck. |
| Emergency and Safety Subsystem | 51F77A18 | Independent safety layer for AUV loss prevention, operating on dedicated emergency power bus isolated from main vehicle power. Drop weight release (2kg tungsten) triggered by watchdog timer timeout, acoustic command, or critical fault detection — provides positive buoyancy for passive surfacing from 6000m. Hardware watchdog timer (independent microcontroller) monitors vehicle management computer heartbeat; triggers emergency surfacing sequence if heartbeat lost for >60 seconds. Xenon strobe and RF beacon activate on surfacing for visual/electronic recovery. Leak detection sensors in all pressure hull compartments trigger immediate mission abort. System is fail-safe: loss of power or communication defaults to surface. |
| Emergency Locator Beacon | D6F57018 | Combined surface recovery aid for a deep-rated AUV, activated upon emergency surfacing. Integrates xenon strobe visible at 3 nautical miles, VHF radio beacon on 156.525 MHz with AIS SART function detectable at 10+ NM, and GPS receiver for self-localisation. Position encoded in AIS transmissions. Powered by dedicated lithium primary cell with 72-hour continuous operation. Waterproof IP68. Activated by Emergency Surfacing Controller upon detecting surface conditions (pressure < 1.5 bar). |
| Emergency Surfacing Controller | D1F37218 | Independent safety-critical processor separate from the main Vehicle Management Computer, managing the emergency surfacing sequence for a deep-rated AUV. Monitors hardware watchdog, leak sensors, and battery critical-low signals. When triggered, executes a deterministic sequence: drop weight release, power down non-essential loads, activate acoustic pinger, and upon surfacing activate locator beacon. ARM Cortex-M0 class MCU with triple-redundant voting on critical inputs. Powered from a dedicated emergency battery cell independent of the main pack. Must operate even if main VMC, main battery, and all comms are lost. |
| Forward Endcap Assembly | CE851008 | Titanium endcap with integrated optical viewport (BK7 glass, 100mm diameter) for downward-looking camera, and 12 SubConn MCBH wet-mate connector penetrations for sensor interfaces. O-ring face seal with backup quad-ring. Depth rated to 6000m. Provides pressure-tight feedthrough for all forward-facing sensor cables (MBES, camera, CTD, DVL) on the AUV. |
| Free-Flood Fairing | C6841008 | Streamlined fibreglass composite outer shell providing hydrodynamic form factor (fineness ratio 8:1) around the pressure hull and free-flood sections. Houses control surface fins, propeller guard, and external sensor mounts. Not pressure-rated — floods freely during descent. Reduces vehicle drag coefficient to less than 0.15 at 3-knot cruise speed. Removable in sections for field maintenance access to internal components. |
| Hardware Watchdog Timer | D6F57A08 | Independent hardware watchdog circuit for AUV emergency surfacing failsafe. External to the Vehicle Management Computer, implemented as a discrete timer IC (e.g., MAX6369) with independent crystal oscillator. The VMC must reset the watchdog via a dedicated GPIO pulse every 30 seconds. If the watchdog times out (VMC crash, hang, or power loss), it asserts a hardware interrupt to the Emergency Surfacing Controller, triggering the emergency surfacing sequence. Timeout period configurable between 15-120 seconds via resistor selection, set to 60 seconds for operational missions. Powered from the emergency battery rail independent of main power. |
| Hull Penetrator Array | D2855008 | Set of 24 SubConn MCBH-series wet-mateable bulkhead connectors distributed across forward and aft endcaps. Each penetrator provides pressure-tight electrical feedthrough rated to 6000m depth. Connector types include power (600V, 10A), signal (Ethernet, RS-232, RS-485), and fibre optic (single-mode). Provides all electrical and optical connections between internal hull electronics and external sensors, actuators, and antennas. |
| Inertial Navigation Unit | D4E73018 | Fibre-optic gyroscope (FOG) based inertial measurement unit providing 6-DOF acceleration and angular rate sensing. Drift rate < 0.1 deg/hr, accelerometer bias stability < 10 µg. Primary dead-reckoning source for AUV operating in GPS-denied underwater environment at depths to 6000m. Outputs body-frame velocity and attitude at 200 Hz to the navigation processor. Pressure-rated titanium housing. |
| Iridium SBD Transceiver | D7F75008 | Iridium Short Burst Data satellite transceiver with integrated GPS receiver. Transmits 340-byte SBD messages via the Iridium constellation when the AUV antenna is above the sea surface. Primary surfaced communications link for position reporting, mission status, and emergency alerts. Activates automatically upon detecting surface conditions (ambient pressure below 200 mbar). Rated for marine environment with conformal antenna integrated into the AUV tailfin. |
| Leak Detection Sensor Array | D4F55208 | Distributed humidity and water ingress detection system inside the AUV pressure hull. Comprises 4 point sensors at hull penetrator locations and 2 condensation sensors on internal hull surfaces. Each sensor detects liquid water contact and reports via I2C bus to the Emergency Surfacing Controller. Detection threshold: 0.5ml water presence. Response time under 500ms from water contact to alarm signal. Operates at 3.3V with total current draw under 50mA. Must distinguish between condensation (gradual humidity rise) and active leak (rapid water contact). |
| Lithium-Ion Battery Pack | D6D51018 | Primary energy storage for deep-sea AUV. Pressure-compensated lithium-ion battery pack using NCA cells in oil-filled enclosure rated to 600 bar. Total usable capacity 10kWh at 48V nominal. Supports 24-hour mission endurance at 3-knot cruise. Maximum discharge rate 2C for thruster transients. Operating temperature range -2 to 45 degrees C. Includes cell-level balancing and thermal management. |
| Main Pressure Hull Cylinder | CE850018 | Grade 5 titanium alloy (Ti-6Al-4V) cylindrical pressure vessel, 1800mm internal length by 250mm internal diameter, wall thickness 12mm. Houses all electronics, batteries, and payload instruments. Rated to 6000m depth (600 bar external hydrostatic pressure) with safety factor of 1.5 on yield. O-ring sealed at both endcaps. External surface hard-anodised for corrosion resistance. Primary structural element of the autonomous underwater vehicle. |
| Mass Storage Array | D6851008 | Redundant NVMe SSD storage array providing 4 TB minimum usable capacity with sustained sequential write throughput of 200 MB/s. Configured as RAID-1 mirror across two 4 TB drives for data integrity. Pressure-compensated enclosure rated to 6000m. Stores all mission sensor data: multibeam bathymetry pings, camera images, CTD profiles. Interfaces to sensor payload processor via PCIe NVMe. Supports post-mission data offload via dedicated high-speed link to communications subsystem. |
| Motor Drive Electronics | D1F53018 | Field-oriented control (FOC) motor drive for a brushless DC propulsion motor on a 6000m-rated AUV. Housed in a pressure-rated electronics canister within the tail section. Receives speed/torque commands from the Vehicle Management Computer via RS-485/CAN bus and executes sinusoidal commutation for low acoustic noise and high efficiency. Provides regenerative braking capability, over-current protection, and thermal monitoring. Draws from 48V DC bus via the Power Distribution Unit. Maximum continuous output 800W, switching frequency >20kHz to stay above the audible/hydroacoustic band. |
| Multibeam Echosounder | D4E71018 | Hull-mounted 400 kHz multibeam echosounder with 256 beams across 120-degree swath. Provides bathymetric depth measurements at 0.5m lateral resolution and 0.1m vertical accuracy at survey altitude of 50m above seabed. Equidistant beam spacing with electronic beam stabilisation for roll, pitch, and heave compensation. Operating depth rated to 6000m. Primary survey instrument for georeferenced seabed mapping on an autonomous underwater vehicle. |
| Navigation and Guidance Subsystem | 45F73018 | |
| Navigation Processor | 51F77208 | Embedded real-time computer running extended Kalman filter for multi-sensor fusion. Fuses INS, DVL, USBL, depth sensor, and surface GPS data into optimal state estimate. Outputs filtered position, velocity, and attitude at 50 Hz to the vehicle management computer. Implements fault detection and isolation for sensor failures. Dual-redundant ARM Cortex-R5 processors with lockstep for safety integrity. Power consumption under 15W. |
| Power Distribution Unit | D6C51018 | Central power switching and distribution unit for AUV subsystems. Receives 48V DC from battery pack and provides regulated outputs at 48V, 24V, 12V, and 5V rails. Solid-state switching with current limiting and fault isolation per channel. Implements power sequencing for controlled startup and emergency load shedding. Maximum throughput 500W continuous. EMI-filtered outputs for sensor subsystems. |
| Power Subsystem | 56F71218 | Provides electrical power for all AUV subsystems during autonomous missions of 24-72 hours. Primary energy storage is 10kWh lithium-polymer battery in pressure-compensated oil-filled housing rated to 6000m depth. Power management unit distributes 48VDC main bus and 24VDC/12VDC regulated rails. Battery management system monitors cell voltages, temperatures, and state-of-charge, triggering mission abort at 15% remaining capacity. Shore charging via wet-mate connector at 1kW. Includes emergency power reserve (separate 500Wh pack) for safety-critical systems during emergency surfacing. |
| Pressure Hull and Structure | CE851018 | Torpedo-shaped pressure vessel and external fairing providing structural integrity and buoyancy for AUV operations to 6000m (600 bar). Main pressure hull is Grade 5 titanium (Ti-6Al-4V) cylinder, 250mm internal diameter, 2.2m length, housing electronics and batteries. Forward and aft hemispherical endcaps with penetrators for cables and sensors. External syntactic foam fairing provides hydrodynamic shape and positive buoyancy to achieve neutral trim. Total vehicle length 4.5m, dry mass 350kg, slightly positive buoyancy in seawater. Ballast system: variable buoyancy engine (VBE) using hydraulic oil/seawater exchange for ±2kg buoyancy trim. |
| Propeller and Shaft Assembly | CEC51008 | Fixed-pitch, 5-blade propeller with magnetic coupling shaft seal for a 6000m-rated AUV. Propeller diameter approximately 250mm, optimized for maximum efficiency at 3-knot cruise speed with low cavitation inception to meet noise requirements (<130 dB re 1µPa at 1m). Magnetic coupling eliminates rotary shaft seals, providing zero-leak torque transfer through the pressure boundary. Shaft supported by polymer bearings lubricated by seawater. Assembly must withstand 600 bar external pressure and biofouling. Key design constraint is balancing propulsive efficiency against radiated noise in the 10Hz-1kHz band. |
| Propulsion Subsystem | D6D53218 | |
| Sensor Payload Processor | 51B77208 | Embedded x86 compute module running real-time Linux, responsible for synchronised data acquisition from multibeam echosounder, camera, and CTD sensor. Timestamps all sensor data against PPS-disciplined clock from the navigation processor. Performs real-time georeferencing by fusing sensor data with navigation solution. Manages write scheduling to the mass storage array at sustained 200 MB/s. Interfaces to VMC via Gigabit Ethernet for mission control, health reporting, and sensor mode configuration. |
| Sensor Payload Subsystem | D4C51208 | Modular sensor bay housing mission-specific instrumentation for deep-sea survey and inspection. Core sensors: 400kHz multibeam echosounder (120-degree swath, 0.5m resolution at 100m range), dual-frequency side-scan sonar (100/400kHz), 4K HDR camera with LED lighting array (6000 lumens), CTD probe (conductivity-temperature-depth with 0.001 PSU accuracy). Payload bay accepts additional instruments via standardised mechanical/electrical interfaces: magnetometer, sub-bottom profiler, water sampling carousel. All sensor data timestamped to PPS-synchronised clock and logged to 4TB SSD at up to 200MB/s aggregate. |
| Surface GPS Antenna Module | D6C45018 | Integrated GPS L1/L2 receiver with patch antenna in a pressure-rated mast-mounted housing. Acquires GPS fix within 60 seconds of surfacing for position recalibration before and after dive. Provides position accuracy of 2.5m CEP. Also supplies precise UTC time reference for synchronising navigation data timestamps. Active only when vehicle is at or near surface. Connected to navigation processor via serial interface. |
| USBL Acoustic Transponder | D4F54008 | Ultra-short baseline acoustic positioning transponder operating at 20-30kHz. Receives interrogation signals from ship-mounted USBL array and replies for range-bearing position fixes accurate to 0.1 percent of slant range. Provides periodic absolute position updates to recalibrate INS drift. Also supports acoustic telemetry for low-bandwidth command/status exchange with surface vessel. Operates at depths to 6000m. |
| Vehicle Management Computer | 51B77008 | Central processing node executing mission control, health management, and fault response for the AUV. Dual-redundant ARM-based compute modules in hot-standby configuration running real-time Linux (PREEMPT_RT). Executes mission plan interpreter, coordinates subsystem modes, monitors 200+ health parameters via CAN bus and Ethernet. Fault management engine implements hierarchical response: sensor reconfiguration, mission modification, and emergency surfacing. Logs all vehicle state and decisions to non-volatile storage. Provides operator interface via Ethernet when docked. 50W nominal power consumption. |
| Wi-Fi Radio Module | D6E55018 | Dual-band 802.11ac Wi-Fi radio with directional antenna providing 300 Mbps throughput at ranges to 500m line-of-sight. Used for high-bandwidth data offload when the AUV is surfaced within range of the support vessel. Enables transfer of mission sensor data (up to 4 TB) without physical recovery. Also provides a secondary command channel for mission upload and diagnostics. Marine-hardened enclosure with splash-proof antenna. |
| Component | Belongs To |
|---|---|
| Navigation and Guidance Subsystem | Autonomous Underwater Vehicle |
| Propulsion Subsystem | Autonomous Underwater Vehicle |
| Power Subsystem | Autonomous Underwater Vehicle |
| Sensor Payload Subsystem | Autonomous Underwater Vehicle |
| Communications Subsystem | Autonomous Underwater Vehicle |
| Vehicle Management Computer | Autonomous Underwater Vehicle |
| Pressure Hull and Structure | Autonomous Underwater Vehicle |
| Emergency and Safety Subsystem | Autonomous Underwater Vehicle |
| Inertial Navigation Unit | Navigation and Guidance Subsystem |
| Doppler Velocity Log | Navigation and Guidance Subsystem |
| USBL Acoustic Transponder | Navigation and Guidance Subsystem |
| Navigation Processor | Navigation and Guidance Subsystem |
| Depth Pressure Sensor | Navigation and Guidance Subsystem |
| Surface GPS Antenna Module | Navigation and Guidance Subsystem |
| Lithium-Ion Battery Pack | Power Subsystem |
| Power Distribution Unit | Power Subsystem |
| Battery Management System | Power Subsystem |
| DC-DC Converter Module | Power Subsystem |
| Brushless DC Propulsion Motor | Propulsion Subsystem |
| Motor Drive Electronics | Propulsion Subsystem |
| Propeller and Shaft Assembly | Propulsion Subsystem |
| Control Surface Actuator Assembly | Propulsion Subsystem |
| Buoyancy Trim System | Propulsion Subsystem |
| Drop Weight Release Mechanism | Emergency and Safety Subsystem |
| Emergency Surfacing Controller | Emergency and Safety Subsystem |
| Emergency Locator Beacon | Emergency and Safety Subsystem |
| Acoustic Emergency Pinger | Emergency and Safety Subsystem |
| Leak Detection Sensor Array | Emergency and Safety Subsystem |
| Hardware Watchdog Timer | Emergency and Safety Subsystem |
| Multibeam Echosounder | Sensor Payload Subsystem |
| Digital Still Camera with LED Illumination | Sensor Payload Subsystem |
| CTD Sensor Package | Sensor Payload Subsystem |
| Sensor Payload Processor | Sensor Payload Subsystem |
| Mass Storage Array | Sensor Payload Subsystem |
| Acoustic Modem | Communications Subsystem |
| Iridium SBD Transceiver | Communications Subsystem |
| Wi-Fi Radio Module | Communications Subsystem |
| Communications Controller | Communications Subsystem |
| Main Pressure Hull Cylinder | Pressure Hull and Structure |
| Forward Endcap Assembly | Pressure Hull and Structure |
| Aft Endcap and Shaft Seal Assembly | Pressure Hull and Structure |
| Free-Flood Fairing | Pressure Hull and Structure |
| Hull Penetrator Array | Pressure Hull and Structure |
| From | To |
|---|---|
| Inertial Navigation Unit | Navigation Processor |
| Doppler Velocity Log | Navigation Processor |
| USBL Acoustic Transponder | Navigation Processor |
| Depth Pressure Sensor | Navigation Processor |
| Surface GPS Antenna Module | Navigation Processor |
| Navigation Processor | Vehicle Management Computer |
| USBL Acoustic Transponder | Communications Subsystem |
| Lithium-Ion Battery Pack | Power Distribution Unit |
| Power Distribution Unit | DC-DC Converter Module |
| Battery Management System | Lithium-Ion Battery Pack |
| Battery Management System | Vehicle Management Computer |
| Power Distribution Unit | Vehicle Management Computer |
| Motor Drive Electronics | Brushless DC Propulsion Motor |
| Brushless DC Propulsion Motor | Propeller and Shaft Assembly |
| Motor Drive Electronics | Vehicle Management Computer |
| Control Surface Actuator Assembly | Vehicle Management Computer |
| Buoyancy Trim System | Vehicle Management Computer |
| Power Distribution Unit | Motor Drive Electronics |
| Power Distribution Unit | Control Surface Actuator Assembly |
| Power Distribution Unit | Buoyancy Trim System |
| Leak Detection Sensor Array | Emergency Surfacing Controller |
| Hardware Watchdog Timer | Emergency Surfacing Controller |
| Emergency Surfacing Controller | Drop Weight Release Mechanism |
| Emergency Surfacing Controller | Acoustic Emergency Pinger |
| Emergency Surfacing Controller | Emergency Locator Beacon |
| Emergency Surfacing Controller | Vehicle Management Computer |
| Battery Management System | Emergency Surfacing Controller |
| Multibeam Echosounder | Sensor Payload Processor |
| Digital Still Camera with LED Illumination | Sensor Payload Processor |
| CTD Sensor Package | Sensor Payload Processor |
| Sensor Payload Processor | Mass Storage Array |
| Sensor Payload Processor | Vehicle Management Computer |
| CTD Sensor Package | Multibeam Echosounder |
| Acoustic Modem | Communications Controller |
| Iridium SBD Transceiver | Communications Controller |
| Wi-Fi Radio Module | Communications Controller |
| Communications Controller | Vehicle Management Computer |
| Component | Output |
|---|---|
| Inertial Navigation Unit | body-frame velocity and attitude at 200Hz |
| Doppler Velocity Log | ground-referenced 3-axis velocity and altitude at 5Hz |
| USBL Acoustic Transponder | absolute position fixes via acoustic ranging |
| Navigation Processor | fused position velocity attitude at 50Hz |
| Depth Pressure Sensor | depth measurement at 10Hz |
| Surface GPS Antenna Module | GPS position fix and UTC time reference |
| Lithium-Ion Battery Pack | 48V DC bus power at 10kWh capacity |
| Power Distribution Unit | switched and fused power to all subsystems |
| Battery Management System | SOC estimates and battery health status |
| DC-DC Converter Module | regulated 24V 12V 5V rails |
| Brushless DC Propulsion Motor | rotary torque |
| Motor Drive Electronics | 3-phase commutated power |
| Propeller and Shaft Assembly | hydrodynamic thrust |
| Control Surface Actuator Assembly | fin deflection forces |
| Buoyancy Trim System | variable displacement |
| Drop Weight Release Mechanism | emergency positive buoyancy via 15kg ballast jettison |
| Emergency Surfacing Controller | deterministic emergency surfacing sequence commands |
| Emergency Locator Beacon | VHF AIS SART signal and xenon strobe for surface recovery |
| Acoustic Emergency Pinger | 37.5 kHz acoustic pulses at 185 dB for underwater localisation |
| Leak Detection Sensor Array | water ingress alarm and humidity trend data |
| Hardware Watchdog Timer | VMC health status and timeout interrupt to ESC |
| Multibeam Echosounder | 256-beam bathymetric depth swath at 0.5m resolution and 0.1m vertical accuracy |
| Digital Still Camera with LED Illumination | georeferenced 24MP seabed images at 2cm/pixel resolution |
| CTD Sensor Package | salinity, temperature, depth profiles at 24Hz and derived sound velocity |
| Sensor Payload Processor | timestamped georeferenced sensor data written to storage at 200 MB/s |
| Mass Storage Array | 4TB persistent mission data with RAID-1 integrity |
| Acoustic Modem | half-duplex digital telemetry at 3 kbps over 5 km underwater |
| Iridium SBD Transceiver | 340-byte satellite messages for position and status reporting |
| Wi-Fi Radio Module | 300 Mbps high-bandwidth link for surfaced data offload |
| Communications Controller | routed and prioritised messages across all comms links |
| Main Pressure Hull Cylinder | 1-atmosphere dry environment at 6000m depth for all internal electronics |
| Forward Endcap Assembly | pressure-tight sensor cable feedthrough and optical viewport |
| Aft Endcap and Shaft Seal Assembly | pressure-tight rotary shaft seal with oil compensation |
| Free-Flood Fairing | streamlined hydrodynamic form with Cd less than 0.15 |
| Hull Penetrator Array | 24 pressure-rated electrical and optical feedthroughs to 6000m |
| Source | Target | Type | Description |
|---|---|---|---|
| SYS-FUNC-002 | IFC-INTERFACEDEFINITIONS-032 | derives | Navigation accuracy requirement drives guidance command interface between VMC and Navigation Processor |
| SYS-FUNC-002 | IFC-INTERFACEDEFINITIONS-031 | derives | Navigation accuracy drives GPS interface specification |
| SYS-FUNC-004 | IFC-INTERFACEDEFINITIONS-015 | derives | System watchdog requirement drives watchdog-ESC GPIO interface |
| SYS-FUNC-003 | IFC-INTERFACEDEFINITIONS-016 | derives | Emergency surfacing requirement drives drop weight release interface |
| SYS-FUNC-010 | IFC-INTERFACEDEFINITIONS-013 | derives | Pressure boundary drives magnetic coupling air gap specification |
| SYS-FUNC-010 | IFC-INTERFACEDEFINITIONS-012 | derives | Depth rating drives pressure-rated power connectors at PDU-MDE interface |
| SYS-FUNC-009 | IFC-INTERFACEDEFINITIONS-008 | derives | Noise constraint drives cable shielding and switching frequency at MDE-BLDC interface |
| SYS-FUNC-005 | SUB-FUNC-040 | derives | CTD accuracy derives from sensor payload acquisition requirement |
| SYS-FUNC-014 | SUB-FUNC-014 | derives | EMC requirement drives motor switching frequency above survey band |
| SYS-FUNC-013 | SUB-FUNC-050 | derives | Corrosion resistance drives titanium hull material selection |
| SYS-FUNC-007 | SUB-FUNC-054 | derives | Fairing drag coefficient drives vehicle mass/endurance budget |
| SYS-FUNC-010 | SUB-FUNC-053 | derives | Hull penetrator pressure rating derives from hull depth rating |
| SYS-FUNC-008 | SUB-FUNC-049 | derives | Encryption protects command channel integrity |
| SYS-FUNC-008 | SUB-FUNC-048 | derives | Message buffering ensures position reports survive link gaps |
| SYS-FUNC-008 | SUB-FUNC-045 | derives | Acoustic modem provides submerged data link |
| SYS-FUNC-005 | SUB-FUNC-044 | derives | Sensor fault isolation preserves remaining acquisition capability |
| SYS-FUNC-005 | SUB-FUNC-041 | derives | Sensor synchronisation enables coherent multi-sensor acquisition |
| SYS-FUNC-002 | SUB-FUNC-001 | derives | INS drift rate drives system-level position accuracy |
| SYS-FUNC-002 | SUB-FUNC-002 | derives | DVL velocity accuracy bounds INS-aided position error |
| SYS-FUNC-002 | SUB-FUNC-003 | derives | EKF fusion achieves system position accuracy from sensor inputs |
| SYS-FUNC-003 | SUB-FUNC-004 | derives | Navigation fault detection supports emergency response decisions |
| SYS-FUNC-002 | SUB-FUNC-005 | derives | USBL provides absolute position recalibration for long-term accuracy |
| SYS-FUNC-010 | SUB-FUNC-006 | derives | Depth sensor range covers structural depth rating |
| SYS-FUNC-001 | SUB-FUNC-009 | derives | Battery capacity derived from 24h mission energy budget |
| SYS-FUNC-001 | SUB-FUNC-011 | derives | SOC accuracy enables mission duration management |
| SYS-FUNC-003 | SUB-FUNC-010 | derives | Battery fault detection supports emergency surfacing trigger |
| SYS-FUNC-002 | SUB-FUNC-007 | derives | GPS recalibration resets accumulated INS drift |
| SYS-FUNC-002 | SUB-FUNC-008 | derives | Degraded-mode accuracy bound during aiding source loss |
| SYS-FUNC-003 | SUB-FUNC-012 | derives | PDU fault isolation prevents total power loss |
| SYS-FUNC-001 | SUB-FUNC-013 | derives | Converter efficiency impacts mission endurance |
| SYS-FUNC-009 | SUB-FUNC-014 | derives | System noise limit drives motor drive switching frequency requirement |
| SYS-FUNC-009 | SUB-FUNC-017 | derives | System noise limit drives motor acoustic noise allocation |
| SYS-FUNC-009 | SUB-FUNC-018 | derives | System noise limit drives propeller cavitation inception requirement |
| SYS-FUNC-001 | SUB-FUNC-016 | derives | Energy budget drives motor efficiency requirement |
| SYS-FUNC-010 | SUB-FUNC-023 | derives | System pressure rating drives actuator housing pressure requirement |
| SYS-FUNC-002 | SUB-FUNC-015 | derives | Navigation accuracy requirement drives motor speed regulation |
| SYS-FUNC-010 | SUB-FUNC-019 | derives | Pressure hull rating drives magnetic coupling torque specification |
| SYS-FUNC-002 | SUB-FUNC-020 | derives | Navigation accuracy drives control surface precision |
| SYS-FUNC-001 | SUB-FUNC-021 | derives | Energy endurance requirement drives buoyancy trim to reduce propulsive power for depth control |
| SYS-FUNC-003 | SUB-FUNC-022 | derives | Emergency fault detection drives motor drive protection requirements |
| SYS-FUNC-003 | SUB-FUNC-024 | derives | Drop weight release time derives from emergency surfacing requirement |
| SYS-FUNC-003 | SUB-FUNC-025 | derives | Burn-wire backup ensures emergency surfacing reliability |
| SYS-FUNC-003 | SUB-FUNC-026 | derives | ESC sequence implements the emergency surfacing initiation |
| SYS-FUNC-004 | SUB-FUNC-033 | derives | Watchdog timer specification derives from system watchdog requirement |
| SYS-FUNC-003 | SUB-FUNC-034 | derives | Automatic fallback to burn-wire ensures emergency surfacing succeeds |
| SYS-FUNC-003 | SUB-FUNC-027 | derives | ESC power independence ensures emergency surfacing works after main battery depletion |
| SYS-FUNC-003 | SUB-FUNC-028 | derives | Triple-redundant voting prevents spurious emergency surfacing |
| SYS-FUNC-003 | SUB-FUNC-029 | derives | Beacon surface activation supports recovery after emergency surfacing |
| SYS-FUNC-003 | SUB-FUNC-030 | derives | 72-hour beacon endurance ensures recovery in remote ocean areas |
| SYS-FUNC-003 | SUB-FUNC-031 | derives | Acoustic pinger enables seabed localisation when surfacing fails |
| SYS-FUNC-003 | SUB-FUNC-032 | derives | Leak detection provides critical fault input for emergency surfacing |
| SYS-FUNC-005 | SUB-FUNC-035 | derives | System bathymetry resolution cascades to MBES beam specification |
| SYS-FUNC-005 | SUB-FUNC-036 | derives | Bathymetry accuracy requires sound velocity correction |
| SYS-FUNC-006 | SUB-FUNC-042 | derives | Storage write rate derives from system sustained write requirement |
| SYS-FUNC-006 | SUB-FUNC-043 | derives | Storage capacity and integrity derive from system storage requirement |
| SYS-FUNC-009 | SUB-FUNC-037 | derives | System noise budget cascades to MBES out-of-band emission limit |
| SYS-FUNC-008 | SUB-FUNC-046 | derives | Iridium position reporting derives from system surfaced comms requirement |
| SYS-FUNC-008 | SUB-FUNC-047 | derives | Wi-Fi offload provides high-bandwidth complement to Iridium |
| SYS-FUNC-010 | SUB-FUNC-050 | derives | System depth rating cascades to hull pressure specification |
| SYS-FUNC-007 | SUB-FUNC-051 | derives | System mass budget cascades to hull mass allocation |
| SYS-FUNC-010 | SUB-FUNC-052 | derives | Depth rating drives shaft seal pressure specification |
| SYS-FUNC-005 | SUB-FUNC-038 | derives | Camera capability derives from sensor payload acquisition requirement |
| SYS-FUNC-005 | SUB-FUNC-039 | derives | LED illumination enables camera acquisition at depth |
| STK-OPS-002 | SYS-FUNC-012 | derives | Safe surfacing need drives pre-dive verification of safety systems |
| STK-OPS-009 | SYS-FUNC-011 | derives | Wide environmental envelope drives reliability targets |
| STK-OPS-008 | SYS-FUNC-007 | derives | Maintainability drives modular construction within handling constraints |
| STK-OPS-007 | SYS-FUNC-003 | derives | Classification rules mandate independent emergency recovery capability |
| STK-OPS-007 | SYS-FUNC-010 | derives | Classification rules drive structural safety factor requirements |
| STK-OPS-002 | SYS-FUNC-008 | derives | Emergency surfacing requires recovery aids for vehicle location |
| STK-OPS-005 | SYS-FUNC-009 | derives | Marine mammal protection requires propulsion noise and sonar frequency constraints |
| STK-OPS-004 | SYS-FUNC-008 | derives | Recovery from vessel requires location aids when surfaced |
| STK-OPS-004 | SYS-FUNC-007 | derives | Standard vessel deployment constrains vehicle mass and dimensions |
| STK-OPS-003 | SYS-FUNC-006 | derives | Georeferenced data collection requires adequate onboard storage capacity |
| STK-OPS-003 | SYS-FUNC-005 | derives | Publication-quality bathymetry requires specified multibeam resolution and swath |
| STK-OPS-002 | SYS-FUNC-004 | derives | Autonomous fault detection requires hardware watchdog as last-resort trigger |
| STK-OPS-002 | SYS-FUNC-003 | derives | Vehicle loss prevention requires independent emergency buoyancy |
| STK-OPS-001 | SYS-FUNC-002 | derives | Autonomous survey requires dead-reckoning navigation accuracy |
| STK-OPS-001 | SYS-FUNC-001 | derives | 24-hour autonomous mission requires sufficient energy storage |
| Requirement | Verified By | Type | Description |
|---|---|---|---|
| SUB-FUNC-025 | VER-TEST-042 | verifies | Verification of burn-wire backup release across temperature range |
| SUB-FUNC-004 | VER-TEST-041 | verifies | Verification of navigation sensor fault detection and exclusion |
| SUB-FUNC-028 | VER-TEST-040 | verifies | Verification of two-of-three majority voting with transient rejection |
| SUB-FUNC-027 | VER-TEST-039 | verifies | Verification of ESC emergency battery 48-hour endurance |
| SUB-FUNC-032 | VER-037 | verifies | Leak detection threshold verification at every sensing point |
| SUB-FUNC-049 | VER-036 | verifies | Communications encryption verification |
| SUB-FUNC-050 | VER-035 | verifies | Pressure hull hydrostatic proof test |
| SUB-FUNC-024 | VER-034 | verifies | Dedicated drop weight release timing test |
| SUB-FUNC-010 | VER-033 | verifies | Dedicated BMS fault detection boundary test |
| SUB-FUNC-042 | VER-TEST-028 | verifies | End-to-end sensor payload test verifies SUB-FUNC-042 |
| SUB-FUNC-041 | VER-TEST-028 | verifies | End-to-end sensor payload test verifies SUB-FUNC-041 |
| SUB-FUNC-040 | VER-TEST-028 | verifies | End-to-end sensor payload test verifies SUB-FUNC-040 |
| SUB-FUNC-038 | VER-TEST-028 | verifies | End-to-end sensor payload test verifies SUB-FUNC-038 |
| SUB-FUNC-035 | VER-TEST-028 | verifies | End-to-end sensor payload test verifies SUB-FUNC-035 |
| SUB-FUNC-033 | VER-TEST-021 | verifies | End-to-end emergency surfacing test verifies SUB-FUNC-033 |
| SUB-FUNC-028 | VER-TEST-021 | verifies | End-to-end emergency surfacing test verifies SUB-FUNC-028 |
| SUB-FUNC-027 | VER-TEST-021 | verifies | End-to-end emergency surfacing test verifies SUB-FUNC-027 |
| SUB-FUNC-026 | VER-TEST-021 | verifies | End-to-end emergency surfacing test verifies SUB-FUNC-026 |
| SUB-FUNC-024 | VER-TEST-021 | verifies | End-to-end emergency surfacing test verifies SUB-FUNC-024 |
| SUB-FUNC-020 | VER-TEST-013 | verifies | End-to-end propulsion test verifies SUB-FUNC-020 |
| SUB-FUNC-018 | VER-TEST-013 | verifies | End-to-end propulsion test verifies SUB-FUNC-018 |
| SUB-FUNC-016 | VER-TEST-013 | verifies | End-to-end propulsion test verifies SUB-FUNC-016 |
| SUB-FUNC-014 | VER-TEST-013 | verifies | End-to-end propulsion test verifies SUB-FUNC-014 |
| SUB-FUNC-003 | VER-TEST-006 | verifies | End-to-end nav test verifies SUB-FUNC-003 |
| SUB-FUNC-002 | VER-TEST-006 | verifies | End-to-end nav test verifies SUB-FUNC-002 |
| SUB-FUNC-001 | VER-TEST-006 | verifies | End-to-end nav test verifies SUB-FUNC-001 |
| IFC-INTERFACEDEFINITIONS-030 | VER-TEST-032 | verifies | CC-VMC command delivery and restart resilience test |
| IFC-INTERFACEDEFINITIONS-029 | VER-TEST-031 | verifies | Wi-Fi concurrent TCP/UDP test |
| IFC-INTERFACEDEFINITIONS-028 | VER-TEST-030 | verifies | Iridium SBD AT command protocol test |
| IFC-INTERFACEDEFINITIONS-027 | VER-TEST-029 | verifies | Acoustic modem RS-232 packet test |
| IFC-INTERFACEDEFINITIONS-026 | VER-TEST-027 | verifies | SPP-to-VMC telemetry and data offload test |
| IFC-INTERFACEDEFINITIONS-025 | VER-TEST-026 | verifies | NVMe sustained write throughput and latency test |
| IFC-INTERFACEDEFINITIONS-024 | VER-TEST-025 | verifies | CTD-to-MBES real-time sound velocity correction test |
| IFC-INTERFACEDEFINITIONS-023 | VER-TEST-024 | verifies | CTD RS-232 telegram reception and parsing test |
| IFC-INTERFACEDEFINITIONS-022 | VER-TEST-023 | verifies | Camera GigE Vision trigger synchronisation test |
| IFC-INTERFACEDEFINITIONS-021 | VER-TEST-022 | verifies | MBES-to-SPP Ethernet throughput and packet loss test |
| IFC-INTERFACEDEFINITIONS-020 | VER-TEST-020 | verifies | Integration test for hardwired battery critical signal |
| IFC-INTERFACEDEFINITIONS-019 | VER-TEST-019 | verifies | Integration test for ESC-VMC UART telemetry and watchdog independence |
| IFC-INTERFACEDEFINITIONS-018 | VER-TEST-018 | verifies | Integration test for beacon arming and surface activation |
| IFC-INTERFACEDEFINITIONS-017 | VER-TEST-017 | verifies | Integration test for pinger activation interface |
| IFC-INTERFACEDEFINITIONS-016 | VER-TEST-016 | verifies | Integration test for drop weight release circuits |
| IFC-INTERFACEDEFINITIONS-015 | VER-TEST-015 | verifies | Integration test for watchdog timeout GPIO interface |
| IFC-INTERFACEDEFINITIONS-014 | VER-TEST-014 | verifies | Integration test for leak detection I2C interface |
| IFC-INTERFACEDEFINITIONS-011 | VER-TEST-012 | verifies | Buoyancy trim system command and telemetry interface test |
| IFC-INTERFACEDEFINITIONS-010 | VER-TEST-011 | verifies | Control surface actuator command and feedback accuracy test |
| IFC-INTERFACEDEFINITIONS-009 | VER-TEST-010 | verifies | CAN bus test for VMC-to-MDE command/telemetry interface |
| IFC-INTERFACEDEFINITIONS-008 | VER-TEST-009 | verifies | Integration test for MDE-to-BLDC power and feedback interface |
| IFC-INTERFACEDEFINITIONS-007 | VER-TEST-008 | verifies | Load shed command timing test for PDU interface |
| IFC-INTERFACEDEFINITIONS-006 | VER-TEST-007 | verifies | 24-hour CAN bus monitoring test for BMS interface |
| IFC-INTERFACEDEFINITIONS-005 | VER-TEST-005 | verifies | Sequence counter gap detection test for depth interface |
| IFC-INTERFACEDEFINITIONS-004 | VER-TEST-004 | verifies | UDP output rate and latency test for NavProc-VMC interface |
| IFC-INTERFACEDEFINITIONS-003 | VER-TEST-003 | verifies | Latency and uncertainty propagation test for USBL interface |
| IFC-INTERFACEDEFINITIONS-002 | VER-TEST-002 | verifies | CRC and message parsing test for DVL interface |
| IFC-INTERFACEDEFINITIONS-001 | VER-TEST-001 | verifies | Bench test for INS-NavProc serial interface |
| SYS-FUNC-002 | VER-TEST-006 | verifies | End-to-end navigation accuracy integration test |