System Decomposition Report — Generated 2026-03-27 — UHT Journal / universalhex.org
This report was generated autonomously by the UHT Journal systems engineering loop. An AI agent decomposed the system into subsystems and components, classified each using the Universal Hex Taxonomy (a 32-bit ontological classification system), generated traced requirements in AIRGen, and built architecture diagrams — all without human intervention.
Every component and subsystem is assigned an 8-character hex code representing its ontological profile across 32 binary traits organised in four layers: Physical (bits 1–8), Functional (9–16), Abstract (17–24), and Social (25–32). These codes enable cross-domain comparison — components from unrelated systems that share a hex code or high Jaccard similarity are ontological twins, meaning they occupy the same structural niche despite belonging to different domains.
Duplicate hex codes are informative, not errors. When two components share the same code, it means UHT classifies them as the same kind of thing — they have identical trait profiles. This reveals architectural patterns: for example, a fire control computer and a sensor fusion engine may share the same hex because both are powered, synthetic, signal-processing, state-transforming, system-essential components. The duplication signals that requirements, interfaces, and verification approaches from one may transfer to the other.
Requirements follow the EARS pattern (Easy Approach to Requirements Syntax) and are traced through a derivation chain: Stakeholder Needs (STK) → System Requirements (SYS) → Subsystem Requirements (SUB) / Interface Requirements (IFC) → Verification Plan (VER). The traceability matrices at the end of this report show every link in that chain.
| Standard | Title |
|---|---|
| DEF STAN 00-250 | — |
| DEF STAN 00-56 | Safety management requirements for defence systems |
| IEC 60529 | — |
| IEC 60825-1 | — |
| IEC 61000-4-2 | — |
| IEC 61508 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61508-3 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61508-6 | Functional safety of electrical/electronic/programmable electronic safety-related systems |
| IEC 61800-7 | — |
| IEC 61810 | — |
| IEEE 754 | — |
| IEEE 802.3 | Standard for Ethernet |
| ISO 11898 | — |
| STANAG 3606 | — |
| STANAG 4059 | — |
| STANAG 4090 | — |
| STANAG 4347 | — |
| STANAG 4370 | — |
| STANAG 4472 | — |
| STANAG 4569 | — |
| STANAG 4586 | Standard interfaces of UAV control system for NATO UAV interoperability |
| STANAG 5048 | — |
| STANAG 5516 | — |
| Acronym | Expansion |
|---|---|
| ARC | Architecture Decisions |
| BMS | Tactical Data Link |
| CCCS | Completeness, Consistency, Correctness, Stability |
| CIU | Communications Interface Unit |
| EARS | Easy Approach to Requirements Syntax |
| FMEDA | Failure Modes Effects and Diagnostic Analysis |
| IFC | Interface Requirements |
| LRU | Replaceable Unit |
| MTBCF | Mean Time Between Critical Failures |
| MTTR | Mean Time To Repair |
| OEM | System Integrator |
| SSPC | State Power Controller |
| STK | Stakeholder Requirements |
| SUB | Subsystem Requirements |
| SYS | System Requirements |
| TDC | Turret Drive Controller |
| UHT | Universal Hex Taxonomy |
| VER | Verification Plan |
| WCI | Weapon Control Interface |
| Stakeholder | Relationship | Hex Code |
|---|---|---|
| Dismounted Infantry | Personnel at risk from turret motion and weapon discharge. Safety-critical stakeholder. Derived from urban patrol and emergency scenarios. | — |
| Weapons System Maintainer | Performs preventive/corrective maintenance in turret hazard zone. Requires lockout-tagout safety. Derived from maintenance scenario. | 00843AF9 |
| Vehicle Crew (Driver/Loader) | Affected by recoil, vibration, noise. Loader replenishes ammunition and clears stoppages. Derived from patrol and maintenance scenarios. | — |
| Vehicle Commander (RWS Operator) | Primary operator, acquires targets and controls weapon from inside vehicle. Derived from all ConOps scenarios. | 008578F9 |
| Tactical Commander | Authorises engagement per ROE, receives sensor imagery via data link. Derived from urban patrol scenario. | — |
| RWS System Integrator (OEM) | Designs, manufactures, integrates, and supports through life. Responsible for safety case and certification. | 40853879 |
| Category | Constraint |
|---|---|
| Ingress Protection | IP67 minimum for turret assembly (dust-tight, temporary immersion for fording), IP54 for hull-mounted electronics |
| EMC/EMI | MIL-STD-461G RE102/RS103, vehicle-level EMC per DEF STAN 59-411, operation near radio transmitters and ECM |
| Safety Standards | IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL 2-3 for weapon firing chain, DEF STAN 00-56 (Safety Management Requirements for Defence Systems) |
| Vibration | MIL-STD-810H Method 514.8 Cat 4 (wheeled vehicle) and Cat 8 (tracked vehicle), 5-500Hz |
| Temperature | Operating -46°C to +71°C per MIL-STD-810H Method 501.7/502.7, storage -51°C to +85°C |
| System | Interface | Hex Code |
|---|---|---|
| GPS/Navigation System | RS-422 or CAN-bus, NMEA-0183 or military GPS format, <10m CEP for ballistic computation | 54E57019 |
| Host Vehicle Platform | 28VDC power, CAN-bus data, NATO turret ring mechanical mount, 25kN recoil load structural interface | DE851019 |
| Ammunition Supply System | Mechanical belt feed, ammunition type sensor, round counter, STANAG 4090 compatible, 200-400 round magazine | 44853859 |
| Tactical Data Link (BMS) | MIL-STD-6016 or national BMS protocol, target handoff, blue force tracking, sensor imagery export via UHF/VHF | — |
| Hazard | Severity | Frequency | SIL | Safe State |
|---|---|---|---|---|
| H-001: Uncommanded weapon discharge due to electrical fault, software error, or EMI | catastrophic | rare | SIL 3 | firing circuit de-energised, mechanical sear engaged, weapon on safe |
| H-002: Uncommanded turret motion crushing or striking personnel | critical | low | SIL 2 | turret drives de-energised, mechanical brakes engaged on both axes |
| H-005: Ammunition cookoff from sustained firing heat or vehicle fire exposure | catastrophic | rare | SIL 2 | ammunition isolated from heat source, crew evacuated, fire suppression activated |
| H-006: Loss of operator control while weapon armed due to cable damage or electronics failure | critical | medium | SIL 2 | weapon automatically safed within 500ms of link loss detection |
| H-004: Friendly fire due to target misidentification via degraded sensors or limited FOV | catastrophic | low | SIL 2 | weapon on safe, operator alerted to identification uncertainty |
| H-007: Software fault causing uncommanded fire via state machine corruption or race condition | catastrophic | rare | SIL 3 | hardware firing interlock independent of software prevents discharge |
| H-003: Failure to transition to safe state when commanded | catastrophic | rare | SIL 3 | independent hardware safety forces firing circuit open and drives de-energised |
flowchart TB n0["system<br>Remote Weapon Station (RWS)"] n1["actor<br>Vehicle Commander"] n2["actor<br>Dismounted Infantry"] n3["external<br>Host Vehicle Platform"] n4["external<br>Tactical Data Link"] n5["external<br>Ammunition Supply"] n6["external<br>GPS/Navigation"] n7["actor<br>Weapons Maintainer"] n1 -->|Commands, target designation| n0 n0 -->|Sensor video, weapon status, BIT| n1 n3 -->|28VDC power, CAN-bus, mounting| n0 n0 -->|Sensor imagery, engagement data| n4 n4 -->|Target handoff, BFT, ROE| n0 n5 -->|Belted ammunition feed| n0 n6 -->|Position, heading| n0 n7 -->|Maintenance, diagnostics| n0 n0 -->|Fire support, hazard zone| n2
Remote Weapon Station — Context
flowchart TB n0["system<br>Remote Weapon Station (RWS)"] n1["subsystem<br>Electro-Optical Sensor Assembly (EOSA)"] n2["subsystem<br>Fire Control System (FCS)"] n3["subsystem<br>Turret Drive Assembly (TDA)"] n4["subsystem<br>Operator Control Unit (OCU)"] n5["subsystem<br>Safety Interlock System (SIS)"] n6["subsystem<br>Weapon and Ammo Handling (WAH)"] n7["subsystem<br>Power Distribution Unit (PDU)"] n8["subsystem<br>Communications Interface Unit (CIU)"] n1 -->|Sensor video, target data| n2 n2 -->|Servo commands, pointing| n3 n2 -->|Fire request, arm status| n5 n5 -->|Fire enable/inhibit| n6 n5 -->|Drive enable, brake cmd| n3 n4 -->|Operator commands| n2 n2 -->|Display data, video| n4 n4 -->|E-STOP, arm/safe| n5 n7 -.->|28V/12V/5V power| n1 n7 -.->|12V/5V power| n2 n7 -.->|28V drive power| n3 n8 -->|GPS, BMS target data| n2 n2 -->|Video export, status| n8
Remote Weapon Station (RWS) — Decomposition
| Subsystem | Diagram | SIL | Status |
|---|---|---|---|
| Electro-Optical Sensor Assembly | SIL 2 | complete | |
| Fire Control System | SIL 3 | complete | |
| Turret Drive Assembly | SIL 2 | complete | |
| Operator Control Unit | — | complete | |
| Safety Interlock System | SIL 3 | complete | |
| Weapon and Ammunition Handling Assembly | SIL 2 | complete | |
| Power Distribution Unit | SIL 3 | complete | |
| Communications Interface Unit | — | complete |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| STK-REQ-001 | The Remote Weapon Station SHALL enable the Vehicle Commander to detect, identify, and engage targets from within the armoured vehicle without crew exposure above the hull line. Rationale: Vehicle Commander (RWS Operator), Urban Patrol Engagement scenario: the fundamental operational need is eliminating crew exposure during weapon operation, which is the leading cause of upper-body casualties in mounted operations. | Demonstration | stakeholder, stk-vc-operator, session-617, idempotency:stk-vc-operator-no-exposure-617 |
| STK-REQ-002 | The Remote Weapon Station SHALL provide stabilised electro-optical and thermal imaging sensors with minimum 0.3 mrad IFOV day-channel resolution and equivalent thermal imaging resolution, enabling positive target identification at ranges up to 1500m in day and 800m in night and obscured conditions. Rationale: Vehicle Commander (RWS Operator), Urban Patrol Engagement scenario: operator detects RPG threat on rooftop via thermal, confirms with day camera. Dual-mode sensor with PID range drives engagement decision quality and reduces friendly fire risk (H-004). | Test | stakeholder, stk-vc-operator, session-617, idempotency:stk-vc-operator-sensor-capability-617 |
| STK-REQ-003 | The Remote Weapon Station SHALL provide the Vehicle Commander with an automated target tracking capability to maintain weapon-target alignment during vehicle motion. Rationale: Vehicle Commander (RWS Operator), Urban Patrol Engagement scenario: auto-tracks target prior to firing 3-round burst at 200m. Manual tracking from a moving vehicle is impractical for the engagement timelines in urban asymmetric warfare. | Test | stakeholder, stk-vc-operator, session-617, idempotency:stk-vc-operator-auto-track-617 |
| STK-REQ-004 | The Remote Weapon Station SHALL support engagement authorization by the Tactical Commander via data link before weapon discharge is permitted. Rationale: Tactical Commander, Urban Patrol Engagement scenario: commander receives authorization before arming weapon. ROE compliance requires explicit engagement authority in the fire control chain. | Demonstration | stakeholder, stk-tac-cmdr, session-617, idempotency:stk-tac-cmdr-auth-617 |
| STK-REQ-005 | The Remote Weapon Station SHALL provide sensor imagery and target data to the Tactical Commander via the tactical data link for situational awareness and engagement decisions. Rationale: Tactical Commander, Urban Patrol Engagement scenario: tactical commander receives sensor imagery via data link to authorise engagement per ROE. Without shared imagery the commander cannot make informed fire decisions. | Test | stakeholder, stk-tac-cmdr, session-617, idempotency:stk-tac-cmdr-sa-617 |
| STK-REQ-006 | The Remote Weapon Station SHALL protect dismounted infantry from uncommanded turret motion by de-energising turret drives and engaging mechanical brakes within 500ms of any safety interlock trip or emergency stop activation. Rationale: Dismounted Infantry, Emergency Stop scenario: uncommanded motion detected, drives de-energised and braked within 200ms. Dismounted personnel in the turret danger zone are the highest-risk stakeholder for H-002 (crushing/striking). | Test | stakeholder, stk-dismounted, session-617, safety, idempotency:stk-dismounted-turret-safety-617 |
| STK-REQ-007 | The Remote Weapon Station SHALL prevent weapon discharge when a safety interlock is tripped, an E-STOP is activated, or the operator control link is lost. Rationale: Dismounted Infantry, IED Strike Control Loss and Emergency Stop scenarios: weapon must be safed immediately when control is compromised. Addresses H-001 (uncommanded discharge), H-006 (loss of control), and H-007 (software fault). | Test | stakeholder, stk-dismounted, session-617, safety, idempotency:stk-dismounted-no-discharge-617 |
| STK-REQ-008 | The Remote Weapon Station SHALL support barrel change and ammunition replenishment by a single maintainer within 15 minutes using standard tools, with the weapon confirmed clear and turret in maintenance mode. Rationale: Weapons System Maintainer, Field Maintenance Barrel Change scenario: armourer changes barrel in 15 min, inspects feed, reloads. Maintenance must be achievable in the field without specialist equipment. | Demonstration | stakeholder, stk-maintainer, session-617, idempotency:stk-maintainer-barrel-change-617 |
| STK-REQ-009 | The Remote Weapon Station SHALL enforce lockout-tagout safety interlocks during maintenance mode, preventing turret traverse beyond maintenance limits and weapon energisation while access panels are open. Rationale: Weapons System Maintainer, Field Maintenance scenario: safety interlocks enforced, no traverse past maintenance limits, access panels unlocked only in maintenance mode. Protects maintainer from H-002 (turret motion) while working in the hazard zone. | Test | stakeholder, stk-maintainer, session-617, safety, idempotency:stk-maintainer-lockout-617 |
| STK-REQ-010 | The Remote Weapon Station SHALL isolate the Vehicle Crew from recoil loads, excessive vibration, and acoustic overpressure during sustained weapon firing. Rationale: Vehicle Crew (Driver/Loader), Urban Patrol Engagement scenario: crew affected by recoil, vibration, noise. Recoil isolation prevents structural damage to crew station equipment and injury to occupants. | Test | stakeholder, stk-crew, session-617, idempotency:stk-crew-recoil-isolation-617 |
| STK-REQ-011 | The Remote Weapon Station SHALL enable the Loader to replenish ammunition and clear weapon stoppages from within the vehicle or from a protected position without entering the turret danger zone during engagement mode. Rationale: Vehicle Crew (Driver/Loader), Field Maintenance scenario: loader replenishes ammunition and clears stoppages. Ammunition handling must not require crew exposure during active operations. | Demonstration | stakeholder, stk-crew, session-617, idempotency:stk-crew-ammo-replenish-617 |
| STK-REQ-012 | When one sensor modality (EO or TI) has failed, the Remote Weapon Station SHALL continue to provide weapon engagement capability using the remaining sensor with a minimum engagement range of 200m against a 2m x 2m stationary target at Phit >= 0.5, alerting the operator to degraded accuracy via both visual and audible indication. Rationale: Vehicle Commander (RWS Operator), Degraded Sensor Operation scenario: thermal crossover renders TI ineffective, system falls back to day camera with manual tracking. Phit >= 0.5 at 200m represents minimum suppressive capability; below this threshold, the system cannot reliably neutralise an RPG threat. Quantified threshold derived from SYS-REQ-011 degraded engagement analysis. | Test | stakeholder, stk-vc-operator, session-617, idempotency:stk-vc-operator-degraded-ops-617 |
| STK-REQ-013 | The Remote Weapon Station SHALL automatically safe the weapon and alert the operator within 500ms when the control link between the operator control unit and the turret is lost. Rationale: Vehicle Commander (RWS Operator), IED Strike Control Loss scenario: IED damages cable harness, control link lost, hardware safety auto-safes weapon within 500ms. Addresses H-006 directly — armed weapon with no operator is catastrophic. | Test | stakeholder, stk-vc-operator, session-617, safety, idempotency:stk-vc-operator-link-loss-617 |
| STK-REQ-014 | The Remote Weapon Station SHALL be designed for modular LRU replacement enabling field-level corrective maintenance of any faulty subsystem within 60 minutes using standard military tool sets. Rationale: RWS System Integrator (OEM), Field Maintenance scenario and IED Strike scenario: LRU replacement needed after encoder fault or battle damage. Through-life supportability requires modular design with standard tooling. | Demonstration | stakeholder, stk-oem, session-617, idempotency:stk-oem-lru-replacement-617 |
| STK-REQ-015 | The Remote Weapon Station SHALL comply with IEC 61508 (Functional safety of E/E/PE safety-related systems) SIL 2 minimum for all safety functions, and SIL 3 for the weapon firing chain, to support the OEM safety case and DEF STAN 00-56 (Safety Management Requirements for Defence Systems) certification. Rationale: RWS System Integrator (OEM), regulatory stakeholder: hazard register identifies H-001, H-003, H-007 as SIL 3 (catastrophic uncommanded discharge, failure to safe, software fault) and H-002, H-004, H-005, H-006 as SIL 2. Certification requires demonstrated compliance. | Analysis | stakeholder, stk-oem, session-617, safety, regulatory, idempotency:stk-oem-sil-compliance-617 |
| STK-REQ-016 | The Remote Weapon Station SHALL operate across the full military temperature range of -46°C to +71°C and withstand vibration per MIL-STD-810H Method 514.8 Category 4/8 without degradation of safety or engagement functions. Rationale: Environment as stakeholder, operating constraints: temperature and vibration extremes define the envelope within which all functions must perform. Failure to operate at temperature extremes leaves vehicles without weapon capability in theatre. | Test | stakeholder, stk-environment, session-617, idempotency:stk-env-temp-vib-617 |
| STK-REQ-017 | The Remote Weapon Station SHALL achieve IP67 ingress protection for the turret assembly and IP54 for hull-mounted electronics to support operations in desert, tropical, and fording conditions. Rationale: Environment as stakeholder, Ingress Protection constraint: turret is exposed to rain, dust, mud, and temporary immersion during fording. Electronics failure from ingress causes loss of weapon capability in the field. | Test | stakeholder, stk-environment, session-617, idempotency:stk-env-ip-rating-617 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SYS-REQ-001 | The Remote Weapon Station SHALL achieve a first-round hit probability of not less than 0.7 against a stationary 2m x 2m target at 200m from a vehicle moving at 15 km/h, using stabilised fire control. Rationale: Derived from STK-REQ-001 and STK-REQ-003. Urban engagement scenario requires high first-round hit probability at typical urban combat ranges from a moving platform. 0.7 Phit is the minimum for effective suppression against an RPG threat. | Test | system, performance, session-617, idempotency:sys-engagement-accuracy-617 |
| SYS-REQ-002 | The Remote Weapon Station SHALL complete the sequence from target detection to first round fired in not more than 8 seconds when the system is in Surveillance mode and the weapon is loaded. Rationale: Derived from STK-REQ-001. Urban Patrol Engagement scenario: short engagement timelines in asymmetric warfare require rapid transition from surveillance to engagement. 8s is derived from typical RPG engagement timelines. | Test | system, performance, session-617, idempotency:sys-engagement-time-617 |
| SYS-REQ-003 | The Remote Weapon Station SHALL provide continuous 360° azimuth traverse and -20° to +60° elevation coverage with a slew rate of not less than 60°/s in azimuth and 40°/s in elevation. Rationale: Derived from STK-REQ-001. Omnidirectional threat environment in urban warfare requires full-hemisphere coverage. Slew rates derived from engagement timeline: 180° worst-case traverse in 3s to meet 8s detection-to-fire budget. | Test | system, performance, session-617, idempotency:sys-traverse-coverage-617 |
| SYS-REQ-004 | The Remote Weapon Station SHALL provide day-channel imaging with minimum 0.3 mrad IFOV and thermal imaging with minimum NETD of 50 mK at 30°C, with dual-FOV (wide 18° and narrow 3°) on both channels. Rationale: Derived from STK-REQ-002. PID at 1500m (day) and 800m (night) requires 0.3 mrad IFOV per Johnson criteria (6 cycles on a 0.5m feature at 1500m). 50 mK NETD ensures thermal detection through moderate obscurants. | Test | system, performance, session-617, idempotency:sys-sensor-performance-617 |
| SYS-REQ-005 | The Remote Weapon Station SHALL include a laser rangefinder with range accuracy of ±5m at ranges from 200m to 3000m, eye-safe to NATO STANAG 3606. Rationale: Derived from STK-REQ-002. Ballistic computation requires accurate range data. ±5m accuracy at 3000m ensures fire control solution error is dominated by other factors (wind, propellant temperature), not range measurement. | Test | system, performance, session-617, idempotency:sys-lrf-performance-617 |
| SYS-REQ-006 | The Remote Weapon Station SHALL maintain automatic target tracking with a tracking error of not more than 0.5 mrad RMS on a crossing target moving at 30 km/h at 500m range. Rationale: Derived from STK-REQ-003. Auto-tracking accuracy must keep the weapon within the target silhouette for the burst duration. 0.5 mrad RMS at 500m is 0.25m displacement — within a personnel target width. | Test | system, performance, session-617, idempotency:sys-tracking-accuracy-617 |
| SYS-REQ-007 | The Remote Weapon Station SHALL implement a two-action weapon arming sequence requiring explicit operator ARM command followed by independent authorization confirmation before enabling the firing circuit. Rationale: Derived from STK-REQ-004 and STK-REQ-007. Engagement mode transition requires two-action authorization per concept. Prevents accidental arming and supports ROE compliance chain. Addresses H-001 and H-007. | Test | system, safety, sil-3, session-617, idempotency:sys-two-action-arm-617 |
| SYS-REQ-008 | The Remote Weapon Station SHALL provide a hardware firing interlock independent of the fire control software that physically prevents weapon discharge when any safety condition is active (E-STOP, interlock trip, maintenance mode, or control link loss). Rationale: H-001, H-003, H-007 drive SIL 3. Software alone cannot achieve SIL 3 PFD targets. A hardware interlock independent of the FCS software provides a diverse second channel that prevents discharge regardless of software state. | Test | system, safety, sil-3, session-617, idempotency:sys-hw-firing-interlock-617 |
| SYS-REQ-009 | When the operator control link is lost, the Remote Weapon Station SHALL safe the weapon firing circuit and de-energise turret drives within 500ms of link loss detection. Rationale: Derived from STK-REQ-013. H-006 (loss of operator control while armed, SIL 2). IED Strike scenario: 500ms is the maximum acceptable time for an armed weapon to remain active without operator control. Hardware watchdog timer drives this independently of software. | Test | system, safety, sil-2, session-617, idempotency:sys-link-loss-safing-617 |
| SYS-REQ-010 | When Emergency Stop is activated, the Remote Weapon Station SHALL de-energise all turret drive motors and engage mechanical brakes on both azimuth and elevation axes within 200ms. Rationale: Derived from STK-REQ-006. H-002 (uncommanded turret motion, SIL 2). Emergency Stop scenario specifies 200ms brake engagement. Spring-applied brakes ensure fail-safe — loss of power results in braking, not free rotation. | Test | system, safety, sil-2, session-617, idempotency:sys-estop-brake-617 |
| SYS-REQ-011 | While in Degraded Operation mode with thermal imager failed, the Remote Weapon Station SHALL maintain engagement capability using the day camera with manual tracking, at a minimum engagement range of 200m against a stationary target. Rationale: Derived from STK-REQ-012. Degraded Sensor Operation scenario: single sensor failure must not render the system combat-ineffective. 200m minimum range with day camera and manual tracking provides last-ditch engagement capability. | Test | system, performance, session-617, idempotency:sys-degraded-engagement-617 |
| SYS-REQ-012 | The Remote Weapon Station SHALL complete Built-In Test of all safety-critical functions (servo drives, safety interlocks, firing circuit, sensor BIT) within 90 seconds of power application at -46°C. Rationale: Derived from STK-REQ-016. Initialization/BIT mode specifies 30-90s. Cold-start at -46°C is the worst case — lubricant viscosity, sensor warm-up, and electronics stabilisation are slowest. 90s ceiling ensures tactical readiness. | Test | system, performance, session-617, idempotency:sys-bit-time-617 |
| SYS-REQ-013 | The Remote Weapon Station SHALL transmit sensor video, target data, and system status to the Battle Management System via MIL-STD-6016 compatible tactical data link at a minimum rate of 1 Hz for position reports and 15 fps for video. Rationale: Derived from STK-REQ-005. Tactical Commander needs real-time sensor imagery for engagement authorization. 15 fps minimum for situational awareness; 1 Hz position updates for blue force tracking integration. | Test | system, interface, session-617, idempotency:sys-datalink-rate-617 |
| SYS-REQ-014 | The Remote Weapon Station SHALL withstand 25kN peak recoil load from sustained firing of the mounted weapon without structural yielding or loss of boresight alignment exceeding 1 mrad. Rationale: Derived from STK-REQ-010. Host vehicle interface specifies 25kN recoil load. Structural integrity and boresight retention under recoil are fundamental — loss of alignment during a burst makes subsequent rounds miss. | Test | system, structural, session-617, idempotency:sys-recoil-structural-617 |
| SYS-REQ-015 | The Remote Weapon Station SHALL support barrel change by a single maintainer in not more than 15 minutes with the system in Maintenance mode, and shall return to operational status within 5 minutes of maintenance completion via automated boresight verification. Rationale: Derived from STK-REQ-008. Field Maintenance scenario: 15-min barrel change, BIT confirms fix. The 5-min return-to-service includes boresight/calibration mode re-alignment after barrel change. | Demonstration | system, maintainability, session-617, idempotency:sys-barrel-change-time-617 |
| SYS-REQ-016 | The Remote Weapon Station SHALL achieve a Mean Time Between Critical Failures (MTBCF) of not less than 400 operating hours for safety-critical functions, and a Mean Time To Repair (MTTR) of not more than 60 minutes at field level. Rationale: Derived from STK-REQ-014. Operational availability requirement for deployed weapon systems. 400h MTBCF provides acceptable mission reliability over a 30-day deployment cycle. 60-min MTTR per STK-REQ-014 LRU replacement target. | Analysis | system, reliability, session-617, idempotency:sys-reliability-617 |
| SYS-REQ-017 | The Remote Weapon Station SHALL comply with MIL-STD-461G RE102/RS103 electromagnetic emissions and susceptibility limits and shall not cause interference with the host vehicle communication systems. Rationale: Derived from STK-REQ-016. EMC/EMI constraint: operation near radio transmitters and ECM. H-001 identifies EMI as a potential cause of uncommanded discharge — EMC compliance is safety-critical for the firing chain. | Test | system, environmental, session-617, idempotency:sys-emc-compliance-617 |
| SYS-REQ-018 | The Remote Weapon Station SHALL achieve positive target identification of a NATO standard target (2.3m x 2.3m wheeled vehicle) at a range of not less than 1500m in daylight conditions and not less than 800m in night or obscured conditions using the dual-mode EO/TI sensor suite. Rationale: Derived from STK-REQ-002. The Johnson criteria for positive identification require 6 cycles on the critical target dimension at the stated range. At 1500m, 6 cycles on 0.5m feature requires <=0.3 mrad IFOV (addressed by SYS-REQ-004). Stating the PID range explicitly in SYS ensures the sensor specification is traceable to the operational engagement requirement rather than only to a derived resolution metric. STK-REQ-002 identified that dual-mode sensors drive engagement decision quality and reduce friendly fire risk (H-004). | Test | session-635, qc, sensors, idempotency:qc-635-sys-req-018-pid-range |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| SUB-REQ-001 | The Dual-Channel Safety Controller SHALL implement a 1oo2D (one-out-of-two with diagnostics) redundant channel architecture with independent processing paths and cross-channel data comparison, achieving a Probability of Failure on Demand (PFD) not greater than 1×10⁻⁴ per hour. Rationale: IEC 61508 (Functional safety of E/E/PE safety-related systems) Part 2 requires quantitative verification of PFD for SIL 3 architectures. The 1oo2D architecture claim is verified by FMEDA (Failure Modes Effects and Diagnostic Analysis) test per IEC 61508-6 Annex B, producing a documented PFD calculation with all failure rate and diagnostic coverage inputs traceable to certified component datasheets. This constitutes a Test verification because the FMEDA produces quantitative pass/fail evidence against the SIL 3 PFD threshold of 1e-4/hr. | Test | subsystem, safety-interlock-system, sil-3, safety, session-618, idempotency:sub-dsc-1oo2d-618 |
| SUB-REQ-002 | The Dual-Channel Safety Controller SHALL transition to ARMED state only when the Arming Key Switch Assembly asserts key-armed status AND an operator ARM command has been received from the Operator Control Unit, with both inputs present simultaneously within a 2-second coincidence window, and SHALL revert to SAFE state if the window expires without both inputs being present. Rationale: SYS-REQ-007 mandates a two-action arming sequence. The 2-second coincidence window prevents accidental arming from delayed inputs while remaining operationally practical (crew can key-and-arm in under 2 seconds). Expiry revert prevents leaving the system half-armed if the operator is interrupted. | Test | subsystem, safety-interlock-system, sil-3, safety, session-618, idempotency:sub-dsc-two-action-arm-618 |
| SUB-REQ-003 | The Hardware Firing Interlock Relay SHALL be a normally-open, fail-safe electromechanical relay installed in series with the weapon firing solenoid, energised only when both the Dual-Channel Safety Controller asserts fire-enable AND the Arming Key Switch Assembly is in ARMED position via a separate hardwired circuit, such that any single software failure cannot cause weapon discharge. Rationale: SYS-REQ-008 requires hardware diversity from fire control software. A normally-open relay fails safe (weapon cannot fire) on de-energisation. The AND-gate of two independent inputs (controller + key) ensures neither a software fault alone nor an inadvertent key turn alone can cause discharge. This is the primary SIL-3 firing barrier. | Test | subsystem, safety-interlock-system, sil-3, safety, session-618, idempotency:sub-hfi-independence-618 |
| SUB-REQ-004 | The Hardware Firing Interlock Relay SHALL de-energise and open the firing solenoid circuit within 10ms of the Dual-Channel Safety Controller withdrawing the fire-enable signal. Rationale: A 10ms de-energise latency ensures the firing circuit opens before the next possible trigger pulse at maximum weapon cyclic rate (1200 RPM = 50ms between rounds). This provides a minimum 5x margin. Exceeding 50ms risks firing an unintended round after a safe state command. | Test | subsystem, safety-interlock-system, sil-3, safety, session-618, idempotency:sub-hfi-response-618 |
| SUB-REQ-005 | The E-stop and Link Watchdog Module SHALL assert a safe-state trigger signal to the Dual-Channel Safety Controller within 200ms of the last valid operator control link heartbeat being received, and SHALL maintain that signal asserted until a valid heartbeat sequence is re-established. Rationale: SYS-REQ-009 mandates a 500ms total safe-state response to link loss, of which the watchdog module must trigger within 200ms to allow 200ms for the controller to process and a further 100ms margin. A hardware watchdog (not software) ensures the timer operates even during a software hang on the controller. | Test | subsystem, safety-interlock-system, sil-2, safety, session-618, idempotency:sub-ewd-link-watchdog-618 |
| SUB-REQ-006 | When Emergency Stop is activated, the Safe State Output Driver SHALL de-energise all actuator outputs (both axis brake solenoids and weapon firing inhibit relay coil) within 50ms of the E-stop and Link Watchdog Module asserting the safe-state trigger signal. Rationale: SYS-REQ-010 requires E-stop response with brakes engaged. The 50ms budget covers: 10ms E-stop module assert + 20ms controller processing + 20ms relay driver response. Brake engagement within 50ms limits turret coast-down to <2° at maximum slew rate of 60°/s, keeping weapon within the commanded safe zone. | Test | subsystem, safety-interlock-system, sil-2, safety, session-618, idempotency:sub-ssod-estop-response-618 |
| SUB-REQ-007 | While the Arming Key Switch Assembly is in MAINTENANCE-LOCKOUT position, the Safety Interlock System SHALL prevent transition to ARMED state regardless of operator control unit commands, and SHALL assert the firing inhibit and brake-engaged outputs in their safe state. Rationale: STK-REQ-009 mandates lockout-tagout enforcement during maintenance. The physical key switch in MAINTENANCE-LOCKOUT position provides a reliable, operator-controlled barrier that cannot be overridden by software commands — satisfying the lockout-tagout principle that the energy isolation device must be under the control of the person at risk. | Test | subsystem, safety-interlock-system, sil-3, safety, session-618, idempotency:sub-sis-maintenance-lockout-618 |
| SUB-REQ-008 | When the Dual-Channel Safety Controller detects a fault via cross-channel comparison, internal diagnostic monitor, or output verification loop, the Safety Interlock System SHALL transition to the safe state (firing inhibited, brakes engaged) within 100ms of fault detection and SHALL latch in safe state until a deliberate operator reset sequence. Rationale: IEC 61508 SIL 3 requires automatic transition to safe state on fault detection. The 100ms budget (10ms detect + 50ms processing + 40ms output) ensures the safe state is reached before a firing cycle can complete. Latching prevents inadvertent re-arming due to transient faults; deliberate reset ensures an operator has positively accepted the safety state change. | Test | subsystem, safety-interlock-system, sil-3, safety, session-618, idempotency:sub-sis-fault-safe-state-618 |
| SUB-REQ-009 | The Safety Interlock System SHALL operate from a 28VDC (22–32V nominal range) supply provided by the Power Distribution Unit, with maximum power consumption not exceeding 50W during peak diagnostic cycle, and SHALL maintain correct safety function operation during supply voltage transients in the range 16–40VDC per MIL-STD-704 (Aircraft Electric Power Characteristics) transient profile. Rationale: Power supply requirements are mandatory for any classified-Powered subsystem to confirm operation across vehicle bus voltage range (28VDC nominal, 22–32V steady-state per MIL-STD-1275 heavy vehicle power). 50W peak budget is derived from dual-channel processor (2×10W), relay drivers (3×5W), and monitoring circuits (10W margin). MIL-STD-704 transient profile is the applicable standard for military ground vehicles. | Test | subsystem, safety-interlock-system, power, session-618, idempotency:sub-sis-power-618 |
| SUB-REQ-010 | The Turret Drive Assembly SHALL receive 28VDC power (20–32V operating range per MIL-STD-1275E) from the vehicle Power Distribution Unit, with maximum continuous draw not exceeding 400W during simultaneous high-rate azimuth and elevation slewing, and peak instantaneous draw not exceeding 800W during acceleration from rest to maximum slew rate. Rationale: TDA is a high-power Powered component (DEF51018). The 400W continuous and 800W peak budgets are derived from motor sizing for a 40°/s maximum slew rate under 25kN recoil loading (SYS-REQ-014). MIL-STD-1275E voltage range ensures compatibility with vehicle power bus under transient conditions. | Test | session-619, qc, turret-drive-assembly, power, idempotency:sub-tda-power-619 |
| SUB-REQ-011 | The Fire Control System SHALL receive 28VDC power (20–32V operating range per MIL-STD-1275E) from the vehicle Power Distribution Unit, with maximum continuous draw not exceeding 150W during full-rate sensor fusion, ballistic computation, and servo command generation, and SHALL maintain correct operation during supply interruptions of up to 50ms. Rationale: FCS is a high-criticality Powered component (55F7725D). 150W budget covers dual-processor compute load for sensor fusion and ballistic computation. The 50ms supply interruption tolerance addresses vehicle power bus switching transients that could otherwise cause a false-safe-state assertion during normal manoeuvrability. | Test | session-619, qc, fire-control-system, power, idempotency:sub-fcs-power-619 |
| SUB-REQ-012 | The Electro-Optical Sensor Assembly SHALL receive 28VDC power (20–32V operating range per MIL-STD-1275E) from the vehicle Power Distribution Unit, with maximum continuous draw not exceeding 80W for simultaneous EO camera and thermal imager operation, and SHALL maintain calibrated imaging performance during supply voltage variations throughout the operating range. Rationale: EOSA is a Powered Physical Object (D6C51018) containing thermally-sensitive detector arrays. The 80W budget covers IR detector cooling (Stirling or thermoelectric), EO camera electronics, and image processing. Supply voltage variation test confirms the voltage regulation feeding detector bias circuits maintains calibration, which is critical for the 0.3 mrad IFOV required by SYS-REQ-004. | Test | session-619, qc, electro-optical-sensor-assembly, power, idempotency:sub-eosa-power-619 |
| SUB-REQ-013 | The Fire Control Computer SHALL execute the pointing error closed-loop at not less than 50Hz, producing azimuth and elevation demands to the Turret Drive Assembly within 20ms of each Track data input. Rationale: SYS-REQ-006 requires automatic tracking error ≤0.5 mrad RMS. Achieving this against a 10m/s target at 1000m range requires the pointing loop to run at ≥50Hz; at lower rates, control latency allows tracking error to exceed 0.5 mrad during dynamic manoeuvre. 20ms latency matches the TDA servo bandwidth of 50Hz. | Test | subsystem, fire-control-system, sil-2, session-620, idempotency:sub-fcc-loop-rate-620 |
| SUB-REQ-014 | The Target Tracking Processor SHALL maintain auto-track on a target with a minimum IR contrast of 0.5K with a track error not exceeding 0.2 mrad RMS at update rates of 50Hz over a track duration of not less than 10 seconds without operator intervention. Rationale: SYS-REQ-006 requires overall tracking error ≤0.5 mrad RMS. TTP track error budget is 0.2 mrad to leave margin for servo pointing error. 0.5K contrast threshold derived from sensor characterisation at SYS-REQ-004 NETD of ≤50mK. 50Hz update rate is the EOSA video rate. | Test | subsystem, fire-control-system, sil-2, session-620, idempotency:sub-ttp-track-accuracy-620 |
| SUB-REQ-015 | The Ballistic Computation Module SHALL complete a new fire solution within 20ms of receiving an updated laser rangefinder range measurement, accounting for target velocity from the Target Tracking Processor, platform inertial data from the IMU, and stored ammunition ballistic coefficients. Rationale: SYS-REQ-002 allocates an 8-second engagement window. Within this, the operator must designate, the LRF must range, and the FCS must compute and settle before firing. 20ms BCM latency is the allocated budget within the overall engagement timeline. Failure to meet this means the weapon is fired on a stale ballistic solution, reducing first-round hit probability below SYS-REQ-001 threshold of p≥0.7. | Test | subsystem, fire-control-system, sil-2, session-620, idempotency:sub-bcm-latency-620 |
| SUB-REQ-016 | The Weapon Control Interface SHALL activate the weapon trigger solenoid within 5ms of receiving a FIRE command from the Fire Control Computer, and shall de-activate within 2ms of receiving a CEASE command. Rationale: SYS-REQ-002 requires engagement within 8 seconds; weapon actuation latency is the last element in the chain. 5ms activation latency is the maximum compatible with the fire control timing model. 2ms cease latency is required to ensure burst-length control: at 600 rounds/min, 2ms corresponds to 0.02 rounds over-fire, which is within weapon tolerance. | Test | subsystem, fire-control-system, sil-2, session-620, idempotency:sub-wci-fire-latency-620 |
| SUB-REQ-017 | When the Safety Interlock System asserts the SAFE_STATE signal, the Fire Control System SHALL immediately issue a CEASE command to the Weapon Control Interface, clear all pending FIRE commands, and inhibit further FIRE commands until an explicit RE-ARM sequence is completed. Rationale: H-003 (unintended weapon discharge) drives SIL 2 requirement on the FCS to respond to the SIS SAFE_STATE assertion. The FCS must not be capable of overriding or ignoring the SIS safe-state command; clearing pending FIRE commands prevents latent firing after the interlock condition clears. This is a complementary software control layer to the hardware interlock in SUB-REQ-003. | Test | subsystem, fire-control-system, sil-2, safety, session-620, idempotency:sub-fcs-sis-safing-620 |
| SUB-REQ-018 | While operating in Degraded Mode with the thermal imaging channel failed, the Fire Control System SHALL maintain automatic target tracking using the day-channel video feed at a minimum track update rate of 25Hz and shall achieve a first-round hit probability of not less than 0.5 against a stationary 2m x 2m target at 800m range. Rationale: SYS-REQ-011 requires degraded engagement capability when the thermal imager fails. Day-channel minimum 25Hz is half the dual-channel rate; performance reduction from p≥0.7 to p≥0.5 is accepted as a degraded-mode threshold. 800m range reduction from 1000m reflects that day-channel detection at IFOV of SYS-REQ-004 is less reliable in degraded light conditions. | Test | subsystem, fire-control-system, sil-2, degraded, session-620, idempotency:sub-fcs-degraded-mode-620 |
| SUB-REQ-019 | The Fire Control System SHALL complete Built-In Test of all safety-interlocked functions, including Weapon Control Interface continuity, Target Tracking Processor frame acquisition, and Ballistic Computation Module data integrity, within 45 seconds of power application. Rationale: SYS-REQ-012 requires full system BIT within 60 seconds. The FCS BIT is allocated 45 seconds (75% of system BIT budget) because it must sequence through SIS handshake, TTP initialisation, and BCM data validation. The remaining 15 seconds covers other subsystems. BIT failures must be reported via operator HMI within this window. | Test | subsystem, fire-control-system, session-620, idempotency:sub-fcs-bit-time-620 |
| SUB-REQ-021 | The Fire Control Computer SHALL operate within a 28VDC supply rail (20–32V operating range per MIL-STD-1275E) with a maximum steady-state current draw of 8A and a maximum peak surge of 15A for not more than 50ms at power-on. Rationale: Lint finding: FCC classified Powered with no power requirements. FCC supply is from PDU 28VDC rail. 8A steady-state at 220W includes FCC processor, TTP video board, and WCI module in worst-case operating condition. 15A peak surge accommodates capacitor inrush at power-on without tripping PDU branch circuit protection. | Test | subsystem, fire-control-system, power, session-620, idempotency:sub-fcc-power-620 |
| SUB-REQ-022 | The Weapon Cradle and Mount SHALL withstand a peak recoil load of 25kN from sustained burst fire without permanent deformation of mounting interfaces or loss of weapon alignment exceeding 0.5 mrad. Rationale: Derived from SYS-REQ-014. A 25kN recoil load corresponds to .50 cal M2HB sustained fire with a cyclic rate of 450-600 rpm. The 0.5 mrad alignment criterion ensures bore line is maintained within the ballistic solution error budget after a burst — permanent misalignment would degrade first-round hit probability below the SYS-REQ-001 threshold. | Test | subsystem, weapon-and-ammunition-handling, sil-2, session-621, idempotency:sub-wcm-recoil-load-621 |
| SUB-REQ-023 | The Recoil Buffer and Damping System SHALL attenuate peak recoil force from 25kN weapon output to not more than 5kN transmitted to the turret structure, measured at the cradle-to-turret interface, across the temperature range -40°C to +70°C. Rationale: The 5kN transmitted force ceiling is derived from turret structural mass budget: 25kN without attenuation would require approximately 40% heavier turret structure to maintain fatigue life. The temperature range requirement ensures hydraulic fluid viscosity variation does not compromise damping performance in arctic or desert environments. | Test | subsystem, weapon-and-ammunition-handling, sil-2, session-621, idempotency:sub-rbd-attenuation-621 |
| SUB-REQ-024 | The Barrel Change Mechanism SHALL enable a single maintainer to remove a hot barrel and install a replacement barrel within 30 seconds, using no tools, with the turret in any azimuth position and elevation within -10° to +10°. Rationale: Derived from SYS-REQ-015. The 30-second criterion reflects operational doctrine for sustained fire support missions where barrel life at maximum cyclic rate is approximately 150 rounds. The tool-free, single-maintainer constraint is required because the operator station is remote — there is no second crew member positioned at the weapon. | Demonstration | subsystem, weapon-and-ammunition-handling, sil-2, session-621, idempotency:sub-bcm-change-time-621 |
| SUB-REQ-025 | When the Barrel Change Mechanism barrel retention sensor reads UNLOCKED, the Weapon and Ammunition Handling Assembly SHALL assert a BARREL-NOT-LOCKED signal to the Safety Interlock System within 50ms, preventing weapon firing until positive lock is confirmed. Rationale: Derived from SYS-REQ-008 (hardware firing interlock independent of software). An unlocked barrel can fly off during firing, creating a projectile hazard and destroying the weapon. The 50ms detection latency ensures the SIS can inhibit a fire command before the first round is chambered even if the barrel is accidentally released during a firing cycle. | Test | subsystem, weapon-and-ammunition-handling, sil-2, safety, session-621, idempotency:sub-bcm-barrel-lock-safety-621 |
| SUB-REQ-026 | The Turret Drive Assembly SHALL achieve a weapon pointing accuracy of 0.1 mrad RMS under all combinations of vehicle velocity up to 30 km/h on cross-country terrain (30 mrad/s platform motion) and target range up to 1500m. Rationale: Derived from SYS-REQ-001 (first-round hit probability ≥70% at 800m). The 0.1 mrad pointing accuracy is the TDA allocation of the overall 0.3 mrad system accuracy budget — the remaining 0.2 mrad is allocated to FCS ballistic computation and atmospheric correction. At 1500m, 0.1 mrad = 150mm pointing error, within the acceptable zone for 7.62mm suppression fire. | Test | subsystem, turret-drive-assembly, sil-2, session-621, idempotency:sub-tda-pointing-accuracy-621 |
| SUB-REQ-027 | When the Safety Interlock System asserts DRIVE-INHIBIT, the Turret Drive Assembly SHALL cease all azimuth and elevation motion within 200ms, applying both axis brakes, and SHALL NOT resume motion until DRIVE-INHIBIT is de-asserted and a RESUME command is received from the Fire Control Computer. Rationale: Derived from SYS-REQ-010 (E-stop de-energises all actuators within 200ms). The 200ms budget for TDA is the same as the system-level E-stop budget — turret motion must stop within the overall response window since uncommanded turret traverse is a SIL 2 hazard. The RESUME handshake prevents automatic restart after an E-stop. | Test | subsystem, turret-drive-assembly, sil-2, safety, session-621, idempotency:sub-tda-drive-inhibit-621 |
| SUB-REQ-028 | The Azimuth Drive Motor and Gearbox SHALL provide continuous 360° azimuth rotation at slew rates from 0.1°/s to 60°/s, with a maximum angular acceleration of 30°/s² and no mechanical stop or dead zone in the traverse arc. Rationale: Derived from SYS-REQ-003 (continuous 360° azimuth traverse). Continuous rotation without dead zone is essential for engagement of threats at any bearing relative to vehicle heading. The 60°/s maximum slew rate corresponds to tracking a target at 500m range moving at 50 km/h — exceeding this would require oversized motors with no tactical benefit. | Test | subsystem, turret-drive-assembly, sil-2, session-621, idempotency:sub-tda-azimuth-range-621 |
| SUB-REQ-029 | The Thermal Imaging Camera SHALL provide a minimum instantaneous field of view (IFOV) of 0.3 mrad in the narrow field of view (NFOV) channel, enabling detection of a 0.5m² target at a range of not less than 3 km in STANAG 4347 standard atmosphere conditions. Rationale: Derived from SYS-REQ-004 (0.3 mrad minimum day-channel imaging). The thermal channel must match the day channel IFOV to maintain targeting consistency when switching between channels. The 3 km detection criterion at STANAG 4347 conditions ensures tactical relevance for vehicle protection scenarios. | Test | subsystem, electro-optical-sensor-assembly, sil-2, session-621, idempotency:sub-tic-ifov-621 |
| SUB-REQ-030 | The Laser Rangefinder SHALL measure target range to an accuracy of ±5m (1-sigma) across ranges from 200m to 4000m, and SHALL be classified as eye-safe (Class 1M or better per IEC 60825-1) under all operating conditions. Rationale: Derived from SYS-REQ-005 (LRF range accuracy ±5m). Eye-safe classification is a non-negotiable operational constraint — ground forces frequently operate without laser protection, so any LRF on an RWS must meet IEC 60825-1 Class 1M at the most exposed range to avoid fratricide by laser exposure. | Test | subsystem, electro-optical-sensor-assembly, sil-2, session-621, idempotency:sub-lrf-accuracy-621 |
| SUB-REQ-031 | While the Thermal Imaging Camera is in FAILED state, the Electro-Optical Sensor Assembly SHALL maintain Daylight Television Camera and Laser Rangefinder operation with no degradation in day-channel IFOV or LRF ranging accuracy, providing the FCS with day-channel video and range data enabling not less than 0.7 first-round hit probability per SYS-REQ-001 in daylight conditions. Rationale: Derived from SYS-REQ-011 (degraded operation with thermal imager failed). The EOSA electrical and mechanical architecture must ensure thermal imager failure cannot cascade to the day channel or LRF — independent power rail and independent video path are required to achieve this degraded-mode capability. | Test | subsystem, electro-optical-sensor-assembly, sil-2, session-621, idempotency:sub-eosa-degraded-621 |
| SUB-REQ-032 | The Operator Display Unit SHALL display sensor video from the Fire Control Computer with an end-to-end display latency not exceeding 100ms from FCC frame output to screen pixel update, at full resolution with overlay graphics. Rationale: 100ms end-to-end display latency is the operator-perceptible threshold for manual target tracking in stabilised weapon systems, established by NATO STANAG 4586 Edition 4 (UAS OCU interoperability) and confirmed by DEF STAN 00-250 Part 2 (Human Factors for Defence Systems) Section 3.4 display update latency guidance. Above 100ms the gunner perceives a 'laggy' display that introduces aim-point error during manual tracking. At the maximum manual tracking rate of 5°/s, a 100ms latency represents 0.5° of display lag — at the boundary of perceptible tracking degradation. The 100ms budget is the ODU allocation within the FCC-to-screen path; the remaining latency is allocated to the FCC video processing pipeline (documented in IFC-REQ between FCC and ODU). The value has heritage in fielded RWS programmes including systems using similar COTS display processors. | Test | subsystem, operator-control-unit, session-621, idempotency:sub-odu-latency-621, red-team-session-640, reqs-eng-session-641 |
| SUB-REQ-033 | The Gunner Hand Controller SHALL transmit azimuth and elevation slew commands at 100Hz with an input-to-output latency not exceeding 10ms from physical joystick deflection to FCC-received USB HID report, across the full operating temperature range of -40°C to +70°C. Rationale: 100Hz (10ms period) command rate matches the TDC (Turret Drive Controller) inner control loop rate per IEC 61800-7 (Common interface for power drive systems) motion command cycle requirements. The 10ms input-to-output latency is achievable with USB HID configured at 1ms polling interval (USB 2.0 High Speed interrupt endpoint, bInterval=1) giving 1ms USB transfer + <5ms ADC/FPGA processing + <2ms USB host stack delivery = 8ms typical worst-case. This is confirmed by DO-178C (Software Considerations in Airborne Systems) heritage for high-rate joystick interfaces. At 60°/s maximum manual slew rate, 10ms represents 0.6° of untracked motion — within the 1 mil tracking accuracy requirement. The -40°C to +70°C range applies because USB crystal oscillator drift and capacitor ESR changes can increase USB transfer timing on unheated vehicle platforms; the requirement mandates the 100Hz/10ms budget must hold across the full temperature envelope, requiring qualification testing per MIL-STD-810H (Environmental Engineering Considerations and Laboratory Tests) Method 502.6 (Low Temperature). | Test | subsystem, operator-control-unit, session-621, idempotency:sub-ghc-latency-621, red-team-session-640, reqs-eng-session-641 |
| SUB-REQ-034 | The Tactical Data Link Processor SHALL encode and transmit MIL-STD-6016 (STANAG 5516) position reports at a minimum rate of 1 Hz and decode received tactical messages with an end-to-end processing latency not exceeding 50ms. Rationale: SYS-REQ-013 requires 1Hz position reporting to the BMS. The 50ms processing latency budget is derived from the 200ms end-to-end engagement message latency in IFC-REQ-006, with 50ms allocated to protocol processing, leaving 150ms for network transmission and BMS processing. | Test | subsystem, communications-interface-unit, session-622, idempotency:sub-tdp-datalink-throughput-622 |
| SUB-REQ-035 | The Video Compression and Network Interface Module SHALL compress daylight and thermal video channels to H.264 at a configurable bitrate of 2 to 8 Mbps and deliver RTP streams over GigabitEthernet to the BMS at a minimum frame rate of 15 fps per channel without frame drops exceeding 1% over any 10-second window. Rationale: SYS-REQ-013 and IFC-REQ-006 specify 15fps video to the BMS. The 2-8Mbps range accommodates varying network bandwidth. The 1% frame drop limit is derived from military imaging standards for surveillance video — higher drop rates degrade target identification confidence. | Test | subsystem, communications-interface-unit, session-622, idempotency:sub-vcni-video-compression-622 |
| SUB-REQ-036 | The CAN Bus and Serial Protocol Gateway SHALL receive and republish CAN bus (ISO 11898, 500 kbps) vehicle status messages to the internal RWS Ethernet network with a message latency not exceeding 5ms, and distribute GPS position data from the RS-422 input at 10 Hz to the Fire Control System and Tactical Data Link Processor. Rationale: IFC-REQ-003 requires CAN bus communication at <10ms total latency; the gateway must contribute no more than 5ms of that budget. IFC-REQ-004 requires GPS data at 10Hz. The gateway is the single point of ingress for vehicle network data, preventing direct CAN access by safety-critical subsystems. | Test | subsystem, communications-interface-unit, session-622, idempotency:sub-cpg-vehicle-data-dist-622 |
| SUB-REQ-037 | The EMC Filter and Surge Protection Assembly SHALL suppress conducted emissions on the CIU 28VDC supply line to comply with MIL-STD-461G (Electromagnetic Interference Characteristics Requirements for Equipment and Subsystems) CE101 and CE102 limits, and shall protect all external signal interfaces against ESD transients up to 15kV (IEC 61000-4-2 Level 4). Rationale: SYS-REQ-017 mandates MIL-STD-461G (Requirements for the Control of Electromagnetic Interference Characteristics of Subsystems and Equipment) RE102/RS103 compliance. EMC filtering at the Communications Interface Unit (CIU) boundary prevents the data link processor and video compression hardware (high-frequency switching sources) from coupling emissions onto the vehicle power bus or injecting interference into adjacent electronics. | Test | subsystem, communications-interface-unit, session-622, idempotency:sub-emc-filter-assembly-622, tech-author-session-643 |
| SUB-REQ-038 | The Power Distribution Unit SHALL accept an input voltage in the range 18VDC to 32VDC (per MIL-STD-1275E) at a continuous rated current of 72A and a peak current of 125A for up to 500ms without thermal shutdown or output voltage deviation exceeding 5% on any load rail. Rationale: IFC-REQ-002 defines the system power input at 2kW continuous and 3.5kW peak. At 28VDC nominal, this corresponds to 72A continuous and 125A peak. The 18-32V range per MIL-STD-1275E (Power, DC, Vehicles and Vehicular Equipment) covers generator, alternator, and battery conditions on military platforms. | Test | subsystem, power-distribution-unit, session-622, idempotency:sub-pdu-input-voltage-range-622 |
| SUB-REQ-039 | The Power Distribution and Protection Module SHALL implement independent solid-state power controllers for each subsystem load with electronically adjustable overcurrent trip thresholds and shall isolate any faulted load within 10ms of fault detection without interrupting power to other subsystem loads. Rationale: A single faulted subsystem (e.g., TDA motor controller short circuit) must not cascade to disable other subsystems including the Safety Interlock System. The 10ms trip time is derived from the SIS watchdog period of 100ms in SUB-REQ-005 — load isolation must complete before watchdog expiry to prevent false safe-state triggering. | Test | subsystem, power-distribution-unit, session-622, idempotency:sub-pdu-sspc-isolation-622 |
| SUB-REQ-040 | The DC-DC Converter Array SHALL provide regulated output rails at 12VDC ±2%, 5VDC ±2%, and 3.3VDC ±2% with output ripple not exceeding 50mV peak-to-peak and shall maintain regulation within specification over the full input voltage range of 18-32VDC at rated load. Rationale: Sensor and camera modules (EOSA) require stable 12VDC supply; FPGA and digital processing modules require 5V/3.3V. The ±2% tolerance is the maximum permitted for MIL-grade components per their operating datasheets. 50mV ripple is standard for military electronics power quality. | Test | subsystem, power-distribution-unit, session-622, idempotency:sub-pdu-dcdc-regulation-622 |
| SUB-REQ-041 | The Power Monitor and Control Unit SHALL sample voltage and current on each subsystem supply branch at a minimum rate of 10 Hz and transmit power telemetry to the Fire Control Computer via RS-422 within 100ms of any supply rail deviation exceeding 5% from nominal. Rationale: The FCS requires power status to implement graceful load shedding under peak demand and to log faults for maintenance diagnostics. 10 Hz sampling is derived from MIL-STD-1275E (Characteristics of 28 VDC Electrical Systems in Military Vehicles) transient characterisation: voltage dropouts and load-regulation events in vehicle 24/28V systems have rise times of 10-50ms, requiring at least 5 Hz to detect; 10 Hz provides 2x margin at minimal RS-422 bus bandwidth cost (10 samples/s × 8 channel × 2 bytes = 160 bytes/s vs RS-422 bandwidth of 1 Mbit/s). The 100ms reporting latency supports SYS-REQ-012 BIT detection within the system self-test window (500ms BIT cycle), ensuring power fault data is current when BIT evaluates subsystem health. The 5% deviation threshold corresponds to MIL-STD-1275E steady-state voltage regulation tolerance for 24V vehicle bus, making any exceedance actionable rather than noise. | Test | subsystem, power-distribution-unit, session-622, idempotency:sub-pdu-pmcu-telemetry-622, red-team-session-640, reqs-eng-session-641 |
| SUB-REQ-042 | The Dual-Channel Safety Controller SHALL operate from a 28VDC supply (22–32V operating range per MIL-STD-1275E), with a maximum steady-state current draw of 500mA per channel and a maximum total inrush current of 2A for no more than 20ms at power-on. Rationale: The DCSC is a SIL-3 safety function powered from the vehicle 28VDC bus. Per MIL-STD-1275E, the bus can vary 22–32V under transient conditions; the DCSC must tolerate this range without false safe-state assertion. The 500mA/channel limit is derived from the SIS power budget (SUB-REQ-009) allocated across five SIS components. Inrush limit protects vehicle protection devices. | Test | subsystem, safety-interlock-system, sil-3, session-623, idempotency:sub-dcsc-power-623 |
| SUB-REQ-043 | The Hardware Firing Interlock Relay SHALL be energised from 24VDC (18–30V operating range), draw a coil current not exceeding 200mA in the energised state, and have a maximum operate time of 10ms and a release time of 5ms when de-energised by the Dual-Channel Safety Controller. Rationale: The HFIR coil voltage range reflects realistic vehicle bus variation; the 200mA limit is derived from SIS power budget (SUB-REQ-009) and relay type selection for the weapon firing circuit load. The 10ms/5ms operate/release times are required to ensure the relay de-energises (opens the firing circuit) faster than a single burst cycle to prevent unintended round discharge. | Test | subsystem, safety-interlock-system, sil-3, session-623, idempotency:sub-hfir-power-623 |
| SUB-REQ-044 | The Elevation Drive Motor and Gearbox SHALL provide weapon elevation coverage from -20° (depression) to +60° (elevation) at a slew rate of not less than 30°/s under maximum weapon load. Rationale: SYS-REQ-003 mandates -20°/+60° elevation coverage; decomposed to TDA because the elevation drive mechanism physically implements this range. The 30°/s slew rate matches the azimuth requirement to maintain symmetric engagement geometry. Missing this requirement would leave the elevation axis unspecified in the TDA. | Test | subsystem, turret-drive-assembly, sil-2, session-624, idempotency:sub-tda-elevation-range-624 |
| SUB-REQ-045 | The Day Camera SHALL provide visible-band imaging at a minimum resolution of 0.3 mrad/pixel and a minimum frame rate of 25 frames per second, with a continuous optical zoom ratio of not less than 20:1. Rationale: SYS-REQ-004 specifies 0.3 mrad minimum resolution for day-channel imaging; this requirement decomposes that performance allocation to the Day Camera imager within EOSA. The 25 fps floor is needed for smooth tracking loop performance in the FCS. Without an explicit camera specification, the EOSA could not be procured or tested against system requirements. | Test | subsystem, electro-optical-sensor-assembly, sil-2, session-624, idempotency:sub-eosa-day-camera-624 |
| SUB-REQ-046 | The Fire Control System SHALL achieve a Mean Time Between Critical Failures (MTBCF) of not less than 500 hours in the field operational environment as defined by MIL-STD-810H Method 514 (Vibration). Rationale: MTBCF for a system of this complexity cannot be measured directly by accelerated test within programme timelines. Per DEF STAN 00-56 (Safety management requirements for defence systems) and reliability prediction standards, MTBCF is demonstrated via: (1) Monte Carlo reliability prediction from component failure rate data (MIL-HDBK-217), (2) accumulation of field hours data from qualification and acceptance testing, and (3) field reliability tracking from service introduction. The Demonstration method reflects evidence-based reliability assessment rather than laboratory testing. | Demonstration | subsystem, fire-control-system, sil-2, reliability, session-624, idempotency:sub-fcs-mtbcf-624 |
| SUB-REQ-047 | The Weapon and Ammunition Handling Assembly SHALL enable replacement of the weapon barrel and clearing of a round jam within a Mean Time To Repair (MTTR) of not more than 30 minutes by a two-person team using standard military tool sets. Rationale: SYS-REQ-015 and SYS-REQ-016 collectively drive the maintainability requirement; the WAHA is the subsystem with the highest-frequency scheduled maintenance activities (barrel changes, jam clearance). The 30-minute MTTR ceiling is derived from field doctrine requirements for sustained fire support operations, where extended downtime degrades mission capability. | Demonstration | subsystem, weapon-and-ammunition-handling, sil-2, maintainability, session-624, idempotency:sub-waha-mttr-624 |
| SUB-REQ-048 | The Fire Control Computer SHALL execute an automated boresight verification routine at system power-on and on operator demand, comparing the weapon axis alignment to the EOSA optical axis to within 0.5 mrad, and SHALL inhibit weapon firing if misalignment exceeds 1.0 mrad. Rationale: SYS-REQ-015 requires automated boresight verification to maintain accuracy in the field. Decomposed to FCC because the FCC hosts the alignment algorithm and controls weapon enable/disable. The 0.5 mrad acceptance threshold is derived from the ballistic accuracy budget; the 1.0 mrad inhibit threshold provides a 2× safety margin before engagement accuracy is materially degraded. | Test | subsystem, fire-control-system, sil-2, session-624, idempotency:sub-fcc-boresight-624 |
| SUB-REQ-049 | The Sensor Stabilisation Platform SHALL provide a two-axis gyrostabilised mount for the EOSA sensor head, maintaining residual line-of-sight error below 0.1 mrad RMS while the host vehicle traverses terrain at speeds up to 30 km/h. Rationale: SYS-REQ-001 requires first-round hit probability of 0.7 from a moving vehicle using stabilised fire control; achieving this probability budget on a moving vehicle requires EOSA stabilisation error to be below 0.1 mrad RMS so that it contributes less than 30% of the total ballistic error budget. Decomposed to EOSA because the sensor head and its stabilisation platform are co-located and co-designed. | Test | subsystem, electro-optical-sensor-assembly, sil-2, session-624, idempotency:sub-eosa-gyrostab-624 |
| SUB-REQ-050 | The Fire Control System SHALL be packaged as a sealed Line-Replaceable Unit (LRU) meeting MIL-STD-810H Method 507.6 humidity and Method 514.8 vibration profiles for vehicle-mounted equipment. Rationale: Lint finding (HIGH): UHT classifies FCS (55F7725D) without Physical Object trait but SUB-REQ-046 imposes physical constraints. Defining FCS as a sealed vehicle-mounted LRU formalises its physical embodiment and test standards, ensuring the physical design is governed by the same requirements hierarchy as functional requirements. | Inspection | session-625, qc, fire-control-system, lint-fix-high, idempotency:sub-fcs-physical-lru-session-625 |
| SUB-REQ-051 | The Hardware Firing Interlock Relay SHALL use gold-alloy bifurcated contacts rated at minimum 10A continuous at 28VDC and SHALL maintain contact resistance below 50mΩ after 50,000 actuation cycles and 1000 hours salt-spray exposure per MIL-STD-202 Method 101. Rationale: UHT Physical Medium trait classification (D6F51019) identifies material interface requirements not currently specified. The HFI relay is SIL-3 rated; contact degradation from corrosion or wear is a common-cause failure mode that can defeat the hardware interlock. Gold-alloy bifurcated contacts provide redundant current paths and corrosion resistance in the armoured vehicle environment (humidity, salt atmosphere, vibration). Contact resistance limit derives from required voltage margin at the firing solenoid threshold. | Test | session-625, qc, safety-interlock-system, lint-fix-medium, sil-3, idempotency:sub-hfi-relay-contacts-session-625 |
| SUB-REQ-052 | The Fire Control Computer SHALL implement a hardware watchdog timer with a 100ms timeout that independently de-energises the weapon control interface firing output and asserts a fault flag to the Operator Control Unit HMI if the fire control application fails to service the watchdog, ensuring fire control software failure does not result in loss of firing inhibit. Rationale: UHT System-Essential trait classification ({{hex:51B73219}}) identifies missing redundancy/failover specification. The FCC is the master controller for the fire solution; a software lock-up or crash without a hardware watchdog could leave the WCI firing output in an indeterminate state. The 100ms timeout is derived from the maximum credible software recovery time (FCC RTOS context switch < 10ms) and the minimum safe interval between valid fire commands, and satisfies the 500ms safe-state budget in SYS-REQ-009. HMI fault flag notification within 500ms enables the operator to identify the fault and take manual action. This is a defence-in-depth measure supplementing the independent SIS hardware interlock per SYS-REQ-008. Complies with IEC 61508 (Functional Safety of E/E/PE Safety-Related Systems) SIL-2 hardware architecture constraints. | Test | session-625, qc, fire-control-system, lint-fix-medium, sil-2, idempotency:sub-fcc-watchdog-session-625, red-team-session-640, reqs-eng-session-641 |
| SUB-REQ-053 | The Weapon Control Interface SHALL implement a fail-safe output stage such that loss of power, loss of communication from the FCC, or any detected output driver fault causes the firing solenoid control line to de-energise within 10ms, independent of FCC software state. Rationale: UHT System-Essential trait classification (50F57A19) identifies missing fail-safe behaviour specification. WCI is the final hardware stage before the firing solenoid; a stuck-energised output due to driver failure or communications loss would bypass both FCC-level and SIS-level safety functions. The 10ms de-energise time derives from the minimum firing cycle of the mounted weapon system, ensuring no unintended discharge can occur. Implemented as a normally-open relay in series with the firing solenoid, held closed only while WCI receives valid heartbeat from FCC. | Test | session-625, qc, fire-control-system, lint-fix-medium, sil-2, idempotency:sub-wci-failsafe-session-625 |
| SUB-REQ-054 | The Power Distribution Unit SHALL implement Solid-State Power Controller (SSPC) per MIL-STD-704F with individual trip threshold programmability per channel, such that a fault on any single load circuit is isolated within 1ms without affecting power delivery to remaining channels. Rationale: UHT System-Essential trait classification (D6C51018) for PDU identifies missing fault-isolation specification. Without individual SSPC isolation, a short-circuit fault on any load (e.g., TDA motor driver) would collapse 28VDC bus voltage and cause all subsystems including FCC and SIS to reset simultaneously — a single-point failure mode incompatible with the SIL-3 allocation. Per-channel SSPC isolation constrains fault propagation and maintains the required independence between safety-critical and non-safety loads. | Test | session-625, qc, power-distribution-unit, lint-fix-medium, idempotency:sub-pdu-sspc-isolation-session-625 |
| SUB-REQ-055 | The Fire Control System SHALL be housed in a sealed aluminium enclosure with a volume not exceeding 8 litres and a mass not exceeding 4.5 kg, with a NATO-standard 4-point equipment rack mounting interface and a 42-pin MIL-DTL-38999 Series III connector for all electrical connections. Rationale: The high-severity lint finding flags that 'fire control system' lacks the Physical Object trait despite imposing physical constraints in SUB-REQ-046 and SUB-REQ-050. This requirement closes the gap by explicitly defining the physical embodiment: the volume and mass budget are derived from the turret's electronics bay envelope (verified in the architecture study), and the MIL-DTL-38999 connector is mandated by MIL-STD-1553B vehicle integration for environmental sealing and EMC compliance. | Inspection | subsystem, fire-control-system, session-626, idempotency:sub-fcs-physical-embodiment-626 |
| SUB-REQ-056 | The CAN Bus and Serial Protocol Gateway SHALL monitor the operator control link heartbeat and assert the LINK-LOSS signal to the Safety Interlock System within 200ms of detecting a heartbeat gap exceeding 100ms, allowing the SIS 300ms to complete safe-state transition within the 500ms system budget of SYS-REQ-009. Rationale: SYS-REQ-009 mandates safe-state transition within 500ms of control link loss. Lint finding 69 identifies 'operator control link' as a SYS concept with no SUB coverage. The 200ms detection threshold is derived by allocating the 500ms budget: 200ms detection + 300ms SIS safe-state transition = 500ms total. The 100ms heartbeat gap threshold provides one missed heartbeat period before declaring loss at a 10Hz heartbeat rate. | Test | subsystem, communications-interface-unit, session-626, idempotency:sub-ciu-link-monitoring-626 |
| SUB-REQ-057 | While in Degraded Operation mode, the Operator Display Unit SHALL annunciate the degraded subsystem (thermal imager, drive controller, fire control computer) within 500ms of mode entry, displaying a distinct amber status icon and a text message identifying the failed subsystem in the top status bar. Rationale: SYS-REQ-011 specifies the system maintains degraded operation capability; the operator must be informed which subsystem has failed to apply correct tactics. The 500ms annunciation latency aligns with the system-level mode transition timing. Lint finding 71 identifies 'degraded operation' as a SYS concept without SUB coverage; this requirement addresses OCU's role in degraded mode management. | Test | subsystem, operator-control-unit, session-626, idempotency:sub-ocu-degraded-annunciation-626 |
| SUB-REQ-058 | The Turret Drive Controller SHALL execute a dual-axis (azimuth and elevation) stabilisation control loop at not less than 400 Hz, rejecting vehicle vibration inputs up to 30 km/h cross-country and maintaining weapon line-of-sight error below 0.1 mrad RMS, using inertial measurement unit feedback to decouple weapon pointing from vehicle dynamics. Rationale: SYS-REQ-001 requires 0.7 hit probability using stabilised fire control against a target from a vehicle moving at 15 km/h; the TDC stabilisation loop is the actuating control element. The 400 Hz update rate is derived from vehicle vibration bandwidth (primary modes up to 50 Hz for tracked vehicle per MIL-STD-810H Method 514), requiring a minimum 8x bandwidth margin. Lint finding 66 identifies 'stabilised fire control' as a SYS concept with no SUB coverage; this requirement closes that gap at the TDC. | Test | subsystem, turret-drive-assembly, session-626, idempotency:sub-tdc-stabilisation-loop-626 |
| SUB-REQ-059 | The Ballistic Computation Module SHALL validate the integrity of all fire solution inputs (LRF range, target angular velocity, atmospheric corrections) using a CRC-32 checksum appended by the supplying component, rejecting any input message with a checksum mismatch and flagging a data integrity fault to the operator HMI. Rationale: BCM is classified as Digital/Virtual and produces weapon engagement solutions — invalid or corrupted input data could cause incorrect fire solutions resulting in collateral damage. CRC-32 per CCITT provides sufficient integrity protection for inter-process communication on a single LRU; it is computationally lightweight relative to cryptographic MAC, appropriate for the 20ms computation latency constraint (SUB-REQ-015). Integrity fault flag to HMI closes the operator-in-the-loop safety argument. | Test | subsystem, fire-control-system, sil-2, session-627, idempotency:sub-bcm-data-integrity-627 |
| SUB-REQ-060 | The Turret Drive Assembly SHALL withstand the operating temperature range of -40°C to +55°C and storage temperature range of -51°C to +71°C per MIL-STD-810H (Environmental Engineering Considerations and Laboratory Tests) Method 501.7 and Method 502.7, with all rotating and sliding contact surfaces sealed to IP67 (IEC 60529) to prevent ingress of dust and water from wash-down or rain. Rationale: TDA is classified as Physical Medium (trait bit 7 in hex DEF51018), meaning it is subject to environmental wear and material degradation. The azimuth ring gear, elevation trunnion bearings, and drive motor housings are exposed to battlefield environments including mud, rain, and extreme temperature cycling. Without IP67 sealing and qualified temperature range, bearing lubricant breakdown or water ingress will cause premature failure of the drive mechanism — a single-point failure for the weapon aiming function. MIL-STD-810H temperature range is the standard MIL qualification range for ground vehicle mounted systems. | Test | subsystem, turret-drive-assembly, environmental, session-628, idempotency:sub-tda-env-protection-628 |
| SUB-REQ-061 | The Safety Interlock System SHALL operate across the ambient temperature range -40°C to +70°C and SHALL maintain its SIL 3 safety function without degradation across this range, with the Dual-Channel Safety Controller enclosure rated to IP65 per IEC 60529 against dust and low-pressure water jets from vehicle wash-down. Rationale: The SIS dual-channel controller and hardware firing interlock relay are mounted inside the turret where temperature extremes reach -40°C in Arctic conditions and +70°C in direct solar load on closed-hatch vehicles. H-001 and H-003 (unintended weapon discharge, safety bypass) require SIL 3 continuity across all operating conditions per IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems). IP65 protection is required because vehicle wash-down with high-pressure jets is standard maintenance; water ingress into the safety controller could cause relay weld or contact failure in the firing interlock circuit. | Test | subsystem, safety-interlock-system, environmental, safety, sil-3, session-628, idempotency:sub-sis-env-protection-628 |
| SUB-REQ-062 | The Hardware Firing Interlock Relay SHALL be a hermetically sealed relay rated to operate across the temperature range -55°C to +125°C with a rated coil-to-contact isolation voltage of not less than 500VDC and contact resistance not exceeding 100mΩ across the full temperature range, meeting MIL-PRF-39016 (Relays and Contactors, Established Reliability) qualification. Rationale: The hardware firing interlock relay (hex D6F51019, Physical Medium trait) is the final hardware barrier preventing inadvertent weapon discharge. H-001 (unintended weapon discharge, SIL 3) requires this component to remain fail-safe across all environmental conditions. Hermetic sealing prevents moisture ingress that could cause contact weld in high-humidity environments; MIL-PRF-39016 qualification ensures established-reliability screening with quantified failure rate data for SIL 3 PFD calculation. Contact resistance limit of 100mΩ is derived from the interlock circuit current budget: at 28VDC and 50mΩ load resistance, 100mΩ contact resistance limits voltage drop to <1.4V, maintaining reliable de-energisation of the firing solenoid. | Test | subsystem, safety-interlock-system, hardware-firing-interlock-relay, environmental, safety, sil-3, session-628, idempotency:sub-hwilk-env-relay-spec-628 |
| SUB-REQ-063 | The Fire Control System SHALL provide stabilisation compensation to the ballistic solution such that first-round hit probability is not less than 0.7 against a 2m x 2m target at 200m when the host vehicle is moving at 15 km/h, by applying IMU-derived angular rate corrections to the fire control solution at not less than 100Hz. Rationale: SYS-REQ-001 specifies P_h ≥ 0.7 from a moving platform. This is achieved only if the FCS compensates for vehicle motion via IMU feedback; the 100Hz update rate is derived from the slew rate limit of 40°/s elevation — a 10ms correction interval limits uncorrected muzzle deflection to <0.003° per cycle. | Test | subsystem, fire-control-system, sil-2, session-630, idempotency:sub-fcs-stabilisation-compensation-630 |
| SUB-REQ-064 | The Turret Drive Assembly SHALL provide continuous 360° azimuth traverse and -20° to +60° elevation coverage, with slew rates not less than 60°/s in azimuth and 40°/s in elevation under maximum weapon recoil load and full ice accumulation as defined in MIL-STD-810H Method 521.4. Rationale: SYS-REQ-003 mandates the full traverse and slew envelope. The TDA's drive motors, gearboxes, and slip ring assembly are the sole mechanical means of achieving this. Ice accumulation is specified because Arctic operation is a ConOps requirement; without it the drive would not be verified against the worst-case resistive load. | Test | subsystem, turret-drive-assembly, sil-2, session-630, idempotency:sub-tda-traverse-slew-630 |
| SUB-REQ-065 | While in Degraded Operation mode with the thermal imager inactive, the Electro-Optical Sensor Assembly SHALL maintain a minimum day-camera video output at 15 fps at 1920x1080 resolution with automatic exposure adjustment, and the Fire Control System SHALL switch to manual tracking mode using day-camera contrast tracking within 5 seconds of thermal imager fault detection. Rationale: SYS-REQ-011 mandates engagement capability to 200m using day camera in degraded mode. The 5-second switchover is derived from maximum allowable gap in situational awareness during a threat encounter; longer gaps would break fire discipline. Manual tracking is the fallback because auto-track depends on thermal contrast. | Test | subsystem, electro-optical-sensor-assembly, fire-control-system, sil-2, degraded-mode, session-630, idempotency:sub-eosa-fcs-degraded-day-camera-630 |
| SUB-REQ-066 | The Communications Interface Unit SHALL transmit sensor video, target positional data, and system health status to the Battle Management System via a MIL-STD-6016 (Tactical Digital Information Link) compatible radio interface, with position report messages at not less than 1Hz and encoded video stream at not less than 15fps. Rationale: SYS-REQ-013 mandates BMS connectivity via MIL-STD-6016; the CIU is the sole radio interface subsystem. The 1Hz position rate is the minimum for tactical display update; lower rates cause track lag. The 15fps video rate is the SYS requirement passthrough — below this the operator cannot assess target engagement status. | Test | subsystem, communications-interface-unit, session-630, idempotency:sub-ciu-milstd6016-bms-link-630 |
| SUB-REQ-067 | The Fire Control System SHALL execute an automated boresight verification sequence upon entry into Operational mode from Maintenance mode, comparing day-camera and thermal imager optical axes against a common reference reticle, and SHALL report BORESIGHT-VERIFIED status within 5 minutes of sequence initiation. Rationale: SYS-REQ-015 mandates return to operational status within 5 minutes of maintenance completion via automated boresight. The FCS is the only subsystem with visibility of both sensor streams and the computational capability to run the comparison algorithm. Five-minute limit accounts for sensor warm-up plus algorithm execution time. | Test | subsystem, fire-control-system, sil-2, maintenance, session-630, idempotency:sub-fcs-boresight-verification-630 |
| SUB-REQ-068 | The Safety Interlock System's Dual-Channel Safety Controller SHALL be packaged as a dedicated sealed LRU conforming to STANAG 4370 AECTP 400 environmental specification, with the two processing channels on separate PCBs in a common electrically-shielded housing, and SHALL meet the dimensional and mass envelope defined in the Vehicle Integration Document. Rationale: Lint analysis identified the channel safety controller lacked Physical Object classification because no physical embodiment requirement existed. A SIL 3 controller must be a discrete, identifiable LRU with its own qualification trail; integration into a shared housing without a dedicated requirement creates an acceptance testing gap per IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems). | Inspection | subsystem, safety-interlock-system, sil-3, lint-fix-high, session-630, idempotency:sub-sis-dcsc-physical-lru-630 |
| SUB-REQ-069 | The Target Tracking Processor SHALL output target angular position (azimuth and elevation) and angular rate (azimuth and elevation rate) to the Fire Control Computer at a minimum rate of 50 Hz, with an angular measurement resolution of not less than 0.05 mrad, formatted as a 64-byte binary packet over the internal PCIe data bus. Rationale: Finding 11: TTP classified as Outputs Effect but no output specification existed. The 50 Hz output rate matches the FCS closed-loop frequency (SUB-REQ-013). The 0.05 mrad resolution supports the 0.5 mrad RMS track error budget (SUB-REQ-014). Fire control algorithms require both position and rate to compute lead angle and filter target dynamics. | Test | subsystem, fire-control-system, target-tracking-processor, session-632, idempotency:sub-ttp-output-spec-632 |
| SUB-REQ-070 | The Ballistic Computation Module SHALL output a fire solution comprising azimuth lead angle, elevation correction, and fuze delay to the Fire Control Computer within 20ms of receiving updated inputs, with ballistic solution accuracy sufficient to achieve not less than 0.7 first-round hit probability against a 2m x 2m target at 1500m in a 0-20 km/h crosswind. Rationale: BCM is classified Outputs Effect but its output format and accuracy were not specified. The 20ms latency aligns with SUB-REQ-015. The 0.7 P1H accuracy links directly to SYS-REQ-001. Output must be quantified to enable integration testing between BCM and FCC — without a pass/fail criterion on the output, verification is not possible. | Test | subsystem, fire-control-system, ballistic-computation-module, session-632, idempotency:sub-bcm-output-spec-632 |
| SUB-REQ-071 | The Tactical Data Link Processor SHALL implement MIL-STD-6016 (STANAG 5516) message authentication using platform-keyed cryptographic validation, rejecting and logging any received messages that fail authentication, to prevent injection of false target data or fire commands via the tactical data link. Rationale: Tactical data link is classified Digital/Virtual — a cybersecurity attack injecting false target data or fire commands via the data link could cause engagement of unintended targets. MIL-STD-6016 defines authentication mechanisms; their use is mandatory in NATO tactical networks under STANAG 5048. Failure to authenticate received messages creates an unacceptable fire-control integrity risk. | Test | subsystem, communications-interface-unit, tactical-data-link, cybersecurity, session-632, idempotency:sub-tdl-cybersecurity-632 |
| SUB-REQ-072 | The Tactical Data Link Processor SHALL operate from the vehicle 28V DC bus (18V–32V operating range) with peak power consumption not exceeding 45W during active Link 16 transmission and quiescent consumption not exceeding 8W in receive-only mode. Rationale: Tactical Data Link Processor classification (hex 50F57258) includes the Powered trait. Without a defined operating voltage range and consumption budget, the PDU cannot allocate circuit protection, and thermal management cannot be scoped. 45W peak is derived from JTIDS/MIDS Class 2H terminal power specifications at maximum duty cycle. | Test | subsystem, communications-interface-unit, tactical-data-link, session-633, idempotency:sub-tdlp-power-633 |
| SUB-REQ-073 | When the Fire Control Computer detects an internal processing fault, the Fire Control System SHALL inhibit weapon firing, annunciate a fault code to the operator, and transition to safe state within 100ms of fault detection. Rationale: Fire control computer classified System-Essential (hex 51B73219); a single processing fault without failsafe response creates a hazardous state where commands may be generated without operator intent. 100ms response derived from the 8Hz servo update rate ensuring no more than one unchecked servo command is issued. Addresses SIL-2 safe-state requirement for Fire Control System. | Test | subsystem, fire-control-system, sil-2, session-633, idempotency:sub-fcc-fault-failsafe-633 |
| SUB-REQ-074 | The Weapon Control Interface SHALL implement a hardware-enforced dual-confirmation logic where both the operator fire command and a valid safety controller channel-agree signal must be present simultaneously for the firing relay to be energised, with either input independently sufficient to de-energise within 5ms. Rationale: Weapon control interface classified System-Essential (hex 50F57A19) and SIL-2; dual-confirmation prevents spurious fire commands from a single-channel fault. The 5ms de-energisation response ensures the firing relay opens within one fire control computation cycle, preventing an unintended round from being chambered after a command withdrawal. | Test | subsystem, fire-control-system, sil-2, session-633, idempotency:sub-wci-dual-confirm-633 |
| SUB-REQ-075 | When the Target Tracking Processor loses target track for more than 500ms, the Fire Control System SHALL automatically deselect the engagement target, inhibit the firing circuit, and require operator re-designation before a new firing solution can be computed. Rationale: TTP is System-Essential (hex D1F77219); continued weapon pointing at a lost or stale track risks engaging a non-threat target. 500ms threshold balances obscuration events (smoke, foliage) against positive control requirements per SIL-2 engagement safety. Re-designation enforces continuous operator positive control. | Test | subsystem, fire-control-system, sil-2, session-633, idempotency:sub-ttp-tracklose-failover-633 |
| SUB-REQ-076 | The Ballistic Computation Module SHALL accept firing table and meteorological data updates only from authenticated, cryptographically signed sources, rejecting any unsigned or invalid-signature data and logging the rejection event. Rationale: BCM is classified Digital/Virtual (hex 41F73B19) and Normative; unsigned ballistic data injection is an attack vector that could corrupt firing solutions without operator awareness, leading to inaccurate or dangerous fire. Cryptographic authentication prevents data tampering in transit on the vehicle data bus. | Test | subsystem, fire-control-system, sil-2, session-633, idempotency:sub-bcm-data-auth-633 |
| SUB-REQ-077 | The Power Distribution Unit SHALL implement independent fused circuit branches for safety-critical loads (firing interlock relay, safety controller, servo drives) such that a single branch overcurrent fault does not interrupt power to any other safety-critical load. Rationale: PDU is System-Essential (hex D6C51018); a shared power fault that disables multiple safety-critical loads simultaneously creates a dormant failure mode where the system may be non-operational at a critical moment. Independent branch protection ensures single-fault tolerance per IEC 61508 SIL-3 hardware fault tolerance requirements for the Safety Interlock System. | Test | subsystem, power-distribution-unit, sil-3, session-633, idempotency:sub-pdu-branch-isolation-633 |
| SUB-REQ-078 | When the primary (optical) imaging channel fails, the Electro-Optical Sensor Assembly SHALL continue providing thermal imaging data to the Fire Control Computer with no more than 2 seconds transition latency, and the operator SHALL be alerted via the Operator Control Unit. Rationale: Optical sensor assembly is System-Essential (hex D6C51018). SYS-REQ-011 allows degraded operation with thermal channel only; without an explicit transition requirement the system may silently lose the primary channel leaving the operator unaware. 2s transition matches the minimum operator response time specified in HFE-DMH ergonomics baseline. | Demonstration | subsystem, electro-optical-sensor-assembly, sil-2, session-633, idempotency:sub-eosa-channel-failover-633 |
| SUB-REQ-079 | The Fire Control System SHALL enforce that the operator explicitly acknowledges positive target identification (IFF status FRIEND, NEUTRAL, or UNKNOWN-HOSTILE with operator confirmation) on the Operator Control Unit before the fire-ready state can be achieved, and SHALL log the acknowledgement timestamp and operator identifier. Rationale: RWS is {{trait:Ethically Significant}} (hex {{hex:D6FC7059}}). International humanitarian law (IHL), including HPCR Manual on International Law Applicable to Air and Missile Warfare, and Rules of Engagement (ROE) require positive target identification before lethal force. The consequence of failure (fratricide or civilian harm) is catastrophic (S3 per IEC 61508 risk graph). However, this is a SOFTWARE-IMPLEMENTED operator confirmation step — not a hardware safety function — and serves as a defence-in-depth control supplementing the primary SIL-3 hardware interlock chain (SIS → DCSC → HFIR). Per IEC 61508-3 (Software Requirements), a software safety function with S3 consequence but implemented as a defensive layer below the primary hardware barrier is allocated SIL-2, not SIL-3. SIL-3 for software requires formal verification methods (including theorem proving or model checking) not mandated here. The primary SIL-3 barrier remains the hardware firing interlock (SUB-REQ-001 through SUB-REQ-004). This requirement is allocated SIL-2, requiring structured software development, MC/DC testing, and independent software verification per IEC 61508-3 Section 7.4. | Inspection | subsystem, fire-control-system, ethical, roe, session-633, idempotency:sub-fcs-positive-id-roe-633, red-team-session-640, reqs-eng-session-641, sil-2 |
| SUB-REQ-080 | The Tactical Data Link Processor SHALL comply with MIL-STD-6016E (Tactical Data Link Standard for JTIDS/MIDS) for all Link 16 message formatting, timing, and encryption, and SHALL support a minimum of Link 16 J-series message types J2.2 (Track Data), J3.0 (Reference Point), and J7.0 (Net Entry) to enable BMS integration. Rationale: SYS-REQ-013 mandates MIL-STD-6016 compatible tactical data link. Without explicit compliance at the subsystem level, the TDLP could be implemented with a proprietary superset that fails system integration tests. J2.2, J3.0, and J7.0 are the minimum message set required for RWS track reporting and BMS integration per STANAG 5516 interoperability baseline. | Test | subsystem, communications-interface-unit, tactical-data-link, regulated, session-633, idempotency:sub-tdlp-milstd6016-633 |
| SUB-REQ-081 | The Fire Control System SHALL perform automated boresight verification between the gun barrel axis and the primary day-channel optical line-of-sight at system power-on and after barrel replacement, reporting a pass or fail result within 60 seconds, with pass criterion of bore offset not exceeding 0.3 mrad. Rationale: SYS-REQ-015 requires barrel change support in under 15 minutes; without automated boresight verification after barrel replacement the system cannot confirm weapon-to-sensor alignment before resuming operations. 0.3 mrad bore offset threshold is derived from SYS-REQ-001 first-round hit probability requirement at 1000m engagement range. | Test | subsystem, fire-control-system, session-633, idempotency:sub-fcs-auto-boresight-633 |
| SUB-REQ-082 | While in Degraded Operation mode with one sensor modality failed, the Remote Weapon Station SHALL maintain a minimum engagement range of 800m against stationary targets with the remaining sensor channel and SHALL alert the operator within 3 seconds of sensor failure detection. Rationale: STK-REQ-012 specifies degraded operation but provides no measurable performance floor. 800m minimum engagement range is derived from the degraded-channel acquisition probability curve: at 800m the single-channel P(first-round-hit) remains above 0.5 against a stationary 2.3m target. The 3-second alert bound is the maximum delay for operators to adjust tactics per human factors engineering baseline. | Demonstration | subsystem, electro-optical-sensor-assembly, fire-control-system, session-633, idempotency:sub-rws-degraded-mode-metrics-633 |
| SUB-REQ-083 | When the Fire Control Computer hardware watchdog asserts a system reset, the Fire Control Computer SHALL complete a controlled restart, re-run Built-In Test, and return to the last operational mode within 10 seconds, maintaining the weapon in the SAFE state throughout the recovery sequence. Rationale: The FCC is System-Essential (SIL-2 context) and its restart path is not currently specified. 10-second recovery bound is derived from SYS-REQ-002 (8s engagement time) — an FCC reset during engagement must complete before the next engagement window, plus 2s margin. SAFE state maintenance throughout ensures a watchdog reset cannot be exploited to bypass the firing interlock. | Test | subsystem, fire-control-system, sil-2, fcc-fdir, session-634, idempotency:sub-fcc-restart-recovery-634 |
| SUB-REQ-084 | The Operator Control Unit SHALL present all primary fire control functions (arm, fire, mode select, target track enable) within a single operating screen requiring no more than two control actuations to reach any safety-critical function from the rest state. Rationale: RWS is Human-Interactive (operator-in-the-loop for all engagements). Cognitive workload under stress is a human factors risk; two-action maximum derives from NATO STANAG 4586 (UAV Control Systems) HMI workload principles applied to weapon system interfaces and matches SYS-REQ-007 two-action arming sequence. | Demonstration | subsystem, operator-control-unit, hmi, human-factors, session-634, idempotency:sub-ocu-hmi-workload-634 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| IFC-REQ-001 | The interface between the Remote Weapon Station and the Host Vehicle Platform SHALL use a turret ring mechanical mounting compliant with STANAG 4472 Edition 2 (RWS/RCWS mounting interface), capable of transmitting 25kN peak recoil load and 15kN sustained lateral load without structural yielding, with a ring diameter of 775mm ±1mm, 24 M12 class 10.9 mounting bolts on a 750mm PCD, and a positional misalignment tolerance of ±0.5mm to maintain weapon boresight alignment under all operating loads. Rationale: External interface: Host Vehicle Platform provides the structural mounting. STANAG 4472 Edition 2 is the NATO standard governing RWS mounting interfaces, adopted to ensure cross-vehicle interoperability across NATO partner platforms. 25kN peak recoil from .50 cal HMG ballistic data (NATO EPVAT round); 15kN lateral from NATO STANAG 4569 Level 1 blast and ballistic test conditions. 775mm ring diameter and 750mm PCD are standard for vehicle class IIIb. ±0.5mm misalignment tolerance preserves <0.1 mil bore axis deviation under load. | Test | interface, external, session-617, idempotency:ifc-ext-vehicle-mechanical-617, red-team-session-640, reqs-eng-session-641 |
| IFC-REQ-002 | The interface between the Remote Weapon Station and the Host Vehicle Platform SHALL receive 28VDC power (18-32V operating range per MIL-STD-1275E) at a maximum continuous draw of 2kW and peak draw of 3.5kW during slew-and-fire. Rationale: External interface: Vehicle power bus is the sole power source. Power budget: 500W surveillance + 1.5kW servo slew + 500W weapon feed = 2.5kW typical peak. 3.5kW includes transient margin for simultaneous operations. | Test | interface, external, session-617, idempotency:ifc-ext-vehicle-power-617 |
| IFC-REQ-003 | The interface between the Remote Weapon Station and the Host Vehicle Platform SHALL exchange vehicle status and power management data via CAN-bus (ISO 11898, 500 kbps) with message latency not exceeding 10ms. Rationale: External interface: CAN-bus is the vehicle data backbone. FCS needs vehicle speed and heading for ballistic computation; vehicle needs RWS power demand for load management. 10ms latency ensures fire control solution freshness. | Test | interface, external, session-617, idempotency:ifc-ext-vehicle-canbus-617 |
| IFC-REQ-004 | The interface between the Remote Weapon Station and the GPS/Navigation System SHALL receive position and heading data via RS-422 at 10 Hz in NMEA-0183 or military GPS format, with position accuracy of less than 10m CEP. Rationale: External interface: GPS provides position for ballistic computation (Coriolis correction at long range) and blue force tracking. RS-422 chosen for noise immunity in the vehicle EMI environment. 10 Hz matches FCS update rate. | Test | interface, external, session-617, idempotency:ifc-ext-gps-617 |
| IFC-REQ-005 | The interface between the Remote Weapon Station and the Ammunition Supply System SHALL accept STANAG 4090 compatible linked ammunition via an articulated belt feed chute from a vehicle-mounted magazine of 200 to 400 round capacity. Rationale: External interface: Ammunition supply is mechanical. STANAG 4090 ensures interoperability with NATO ammunition types. Flexible chute accommodates turret rotation. Magazine size trades capacity against vehicle interior space. | Inspection | interface, external, session-617, idempotency:ifc-ext-ammo-617 |
| IFC-REQ-006 | The interface between the Remote Weapon Station and the Tactical Data Link (BMS) SHALL transmit compressed sensor video at not less than 15 fps, position reports at 1 Hz, and target data with end-to-end latency not exceeding 200ms for engagement-critical messages. Rationale: External interface: Tactical data link enables remote engagement authorization by the Tactical Commander. 200ms latency budget is allocated from the 8s detect-to-fire timeline. H.264 compression at 15 fps balances bandwidth and image quality. | Test | interface, external, session-617, idempotency:ifc-ext-bms-617 |
| IFC-REQ-007 | The interface between the Electro-Optical Sensor Assembly and the Fire Control System SHALL provide uncompressed digital video (640x512, 30 fps minimum) on both EO and TI channels simultaneously, with frame timestamp synchronisation to less than 1ms. Rationale: Internal interface: FCS needs raw uncompressed video for auto-tracker centroid computation. Timestamp sync ensures tracker fusion of EO and TI data does not introduce lag. 30 fps supports 10 Hz tracking loop with 3x oversampling. | Test | interface, internal, session-617, idempotency:ifc-int-eosa-fcs-video-617 |
| IFC-REQ-008 | The interface between the Fire Control System and the Turret Drive Assembly SHALL provide servo demand signals (azimuth and elevation rate commands) at 100 Hz via a dedicated serial link, with the TDA returning encoder position feedback at the same rate. Rationale: Internal interface: the servo control loop requires 100 Hz update rate for 0.2 mrad pointing accuracy under vehicle vibration. Dedicated link prevents bus contention with lower-priority traffic. | Test | interface, internal, session-617, idempotency:ifc-int-fcs-tda-servo-617 |
| IFC-REQ-009 | The interface between the Safety Interlock System and the Weapon and Ammunition Handling Assembly SHALL be a hardwired normally-open relay contact (IEC 61810 class C rated at minimum 24 VDC / 5A resistive load) that physically interrupts the weapon firing circuit within 10ms of the SIS entering any state other than FIRE ENABLED, with a minimum isolation voltage of 500 VDC between the SIS control circuit and the WAH firing circuit, and with contact bounce not exceeding 2ms. Rationale: Internal interface: SIL 3 firing chain safety per IEC 61508 (Functional Safety of E/E/PE Safety-Related Systems), hazard H-001 (unintended weapon discharge) and H-007 (loss of fire control). The IEC 61810 class C rating ensures the relay is qualified for safety applications. Normally-open contact means loss of SIS control power results in firing circuit open (fail-safe). 10ms maximum switching time is within the safe reaction time derived from weapon charge-to-fire latency (>150ms), giving 15:1 margin. 500 VDC isolation prevents transient coupling between the SIS low-voltage logic domain and the WAH firing circuit. 2ms contact bounce limit prevents false re-enabling of the firing circuit during relay release. | Test | interface, internal, safety, sil-3, session-617, idempotency:ifc-int-sis-wah-firing-617, red-team-session-640, reqs-eng-session-641 |
| IFC-REQ-010 | The interface between the Safety Interlock System and the Turret Drive Assembly SHALL provide a hardwired brake-release signal; when de-asserted, spring-applied mechanical brakes on both axes SHALL engage within 200ms. Rationale: Internal interface: SIL 2 turret motion safety per H-002. Spring-applied brakes default to engaged on power loss. SIS controls brake release via dedicated hardwired signal independent of FCS software. | Test | interface, internal, safety, sil-2, session-617, idempotency:ifc-int-sis-tda-brake-617 |
| IFC-REQ-011 | The interface between the Arming Key Switch Assembly and the Dual-Channel Safety Controller SHALL be a direct hardwired 28VDC discrete signal per key position (SAFE: 0V, ARMED: 28V, MAINTENANCE-LOCKOUT: floating/open), with no intervening software processing, maximum signal propagation delay of 1ms, and wire continuity monitored by the controller at 100Hz. Rationale: Hardware-direct wiring (no software intermediary) is mandated by SYS-REQ-007 and SYS-REQ-008 to ensure the key switch state cannot be spoofed by a software fault. 28VDC matches the vehicle bus standard. 100Hz monitoring ensures the controller detects wire open/short within 10ms, supporting the 100ms fault-safe-state budget. | Test | interface, safety-interlock-system, sil-3, safety, session-618, idempotency:ifc-aks-dsc-618 |
| IFC-REQ-012 | The interface between the E-stop and Link Watchdog Module and the Dual-Channel Safety Controller SHALL be a dual hardwired discrete signal (one per channel of the 1oo2D controller), with signal assertion latency not greater than 5ms from event detection, providing galvanic isolation of at least 500V between the module and each controller channel. Rationale: Dual signals align with the 1oo2D architecture so each controller channel receives an independent safe-state trigger. Galvanic isolation prevents a fault in the E-stop circuit from propagating to the controller power rail. 5ms latency fits within the 200ms watchdog trigger budget with 40x margin. | Test | interface, safety-interlock-system, sil-2, safety, session-618, idempotency:ifc-ewd-dsc-618 |
| IFC-REQ-013 | The interface between the Dual-Channel Safety Controller and the Hardware Firing Interlock Relay SHALL be a 24VDC energise signal with both controller channels required to assert simultaneously (AND-gate logic in relay driver), signal de-assertion propagating to relay de-energisation within 10ms, and the relay feedback state returned to both controller channels for output verification. Rationale: Requiring both channels to simultaneously assert fire-enable prevents a single stuck-high channel from activating the relay — maintaining SIL 3 fault tolerance. Feedback verification allows the controller to detect relay weld failure (stuck energised), a critical failure mode that would bypass the primary firing barrier. | Test | interface, safety-interlock-system, sil-3, safety, session-618, idempotency:ifc-dsc-hfi-618 |
| IFC-REQ-014 | The interface between the Dual-Channel Safety Controller and the Safe State Output Driver SHALL carry separate drive commands for each actuator output (azimuth brake, elevation brake, firing inhibit relay coil) on a dedicated hardwired bus, with command-to-actuator response time not greater than 20ms and actuator current feedback monitored by the controller to detect open-circuit and short-circuit faults. Rationale: Individual actuator command lines allow the controller to de-energise specific outputs during partial safe states (e.g., brakes only, not firing inhibit) rather than all outputs simultaneously. Current feedback enables the controller to detect actuator failures that would otherwise only be discovered during emergency operation, supporting the IEC 61508 SIL 3 diagnostic coverage requirement. | Test | interface, safety-interlock-system, sil-2, safety, session-618, idempotency:ifc-dsc-ssod-618 |
| IFC-REQ-015 | The interface between the Target Tracking Processor and the Fire Control Computer SHALL transfer target centroid coordinates in mrad relative to boresight, track quality metric (0.0–1.0), and target angular velocity vector at 50Hz via a PCIe x4 internal bus with end-to-end latency not exceeding 1ms. Rationale: The FCC pointing loop (SUB-REQ-013) requires track data at 50Hz. PCIe x4 is available on the FCS backplane and provides sufficient bandwidth (>1Gbps) for this data at sub-millisecond latency. Competing alternatives (Ethernet, USB) add latency and jitter incompatible with the 20ms control budget. | Test | interface, fire-control-system, session-620, idempotency:ifc-ttp-fcc-track-620 |
| IFC-REQ-016 | The interface between the Fire Control Computer and the Ballistic Computation Module SHALL provide LRF range measurement (±5m accuracy), target angular velocity from TTP, host platform linear velocity (from IMU at 100Hz), and ammunition ballistic coefficient table; and the BCM SHALL return azimuth and elevation corrections in mrad within 20ms of receiving updated range. Rationale: BCM runs as a software thread on FCC (ARC-REQ-008), so this is an intra-processor data interface. Defining it as an explicit interface requirement ensures the ballistic thread scheduler priority and data freshness are verified in integration test. 20ms latency requirement is from SYS-REQ-002 engagement time budget. | Test | interface, fire-control-system, session-620, idempotency:ifc-fcc-bcm-ballistic-620 |
| IFC-REQ-017 | The interface between the Fire Control Computer and the Weapon Control Interface SHALL use RS-422 full-duplex at 115200 baud transmitting FIRE, CEASE, and SAFE commands with a 16-bit CRC, and the WCI SHALL return round counter and fault status at 10Hz. End-to-end command latency SHALL not exceed 1ms. Rationale: RS-422 provides differential signalling with inherent noise immunity for the weapon bay environment (high electrical noise from solenoid switching). 115200 baud is sufficient for command throughput at 10Hz status telemetry. The WCI is galvanically isolated from FCC via RS-422 opto-couplers to protect FCC logic from solenoid transients (per ARC-REQ-008). CRC ensures command integrity against noise-induced bit errors. | Test | interface, fire-control-system, session-620, idempotency:ifc-fcc-wci-rs422-620 |
| IFC-REQ-018 | The interface between the Barrel Change Mechanism and the Safety Interlock System SHALL transmit the BARREL-NOT-LOCKED signal as a hardwired 24VDC discrete output, active-low (0V = barrel locked, 24V = barrel not locked), with signal update latency not exceeding 50ms from barrel lock state change. Rationale: A hardwired discrete signal (not digital bus) is required because the barrel retention condition feeds the SIS hardware interlock chain. SIS-level interlocks must be hardware-isolated from software bus failures. Active-low convention ensures a wiring fault (open circuit) de-asserts the fire permit signal, enforcing fail-safe behaviour. | Test | interface, weapon-and-ammunition-handling, sil-2, session-621, idempotency:ifc-bcm-sis-barrel-621 |
| IFC-REQ-019 | The interface between the Ammunition Magazine Assembly and the Fire Control Computer SHALL transmit round-count data at 1Hz via MIL-STD-1553B Bus B, with a resolution of 1 round and a count accuracy of ±5 rounds across the full 400-round capacity. Rationale: 1Hz update rate is sufficient for operator awareness and mission planning — round count does not change faster than weapon cyclic rate divided by 60. MIL-STD-1553B Bus B is chosen for consistency with the vehicle-level data bus architecture and inherent error detection. ±5 round accuracy is sufficient for the operator to assess remaining endurance; sub-round accuracy is not achievable with belt-count sensors and not required for any safety function. | Test | interface, weapon-and-ammunition-handling, session-621, idempotency:ifc-ama-fcc-roundcount-621 |
| IFC-REQ-020 | The interface between the Belt Feed and Transfer Mechanism and the Weapon Cradle and Mount SHALL maintain belt tension within 15N to 25N at the weapon feed port across the full RWS traverse envelope of 360° azimuth and -20° to +55° elevation, preventing belt sag (below 15N) and feed jams (above 25N). Rationale: Belt tension outside 15-25N is the primary cause of feed jams in belt-fed weapon systems on remote turrets. Below 15N the belt sags and misaligns at the feed port during rapid traverse; above 25N belt links bind and the feed pawls skip. The full traverse envelope test is required because tension varies with belt path geometry as the turret moves. | Test | interface, weapon-and-ammunition-handling, session-621, idempotency:ifc-bftm-wcm-tension-621 |
| IFC-REQ-021 | The interface between the Fire Control Computer and the Turret Drive Controller SHALL transmit weapon aiming demand packets at 50Hz via PCIe, with azimuth and elevation demand angles encoded as 32-bit IEEE 754 floats in radians, and end-to-end latency from FCC demand generation to TDC actuator command not exceeding 5ms. Rationale: 50Hz aiming demand rate is derived from the FCS control loop rate (SYS-REQ-001 hit probability). 5ms end-to-end latency ensures the TDA follows the fire control solution within the lag budget — at 30°/s maximum slew rate, 5ms latency introduces 0.15° positional error which is within the 0.1 mrad allocation. | Test | interface, turret-drive-assembly, sil-2, session-621, idempotency:ifc-fcc-tdc-aiming-621 |
| IFC-REQ-022 | The Azimuth Slip Ring Assembly SHALL transfer 24VDC power at up to 20A continuous, MIL-STD-1553B data at 1Mbps, Ethernet 100BASE-TX, and analog sensor signals (±10V, 10kHz bandwidth) without signal degradation exceeding 3dB or contact resistance increasing beyond 10mΩ over the rated life of 50,000 rotations. Rationale: Continuous 360° azimuth requires electrical continuity through the rotation joint. The multi-circuit specification (power + 1553B + Ethernet + analog) covers all signals that must cross the azimuth rotation boundary. Contact resistance and signal attenuation limits are derived from downstream subsystem power and data margin requirements. | Test | interface, turret-drive-assembly, session-621, idempotency:ifc-sra-circuits-621 |
| IFC-REQ-023 | The interface between the Electro-Optical Sensor Assembly and the Fire Control Computer SHALL transmit simultaneous thermal and daylight video streams at 50Hz via dual GigE Vision (IEEE 802.3) connections, with end-to-end video latency not exceeding 30ms from scene capture to FCC frame buffer. Rationale: Simultaneous dual-channel video is required for FCS automatic target acquisition which correlates day and thermal imagery. 30ms maximum video latency is derived from the 5-second detect-to-fire timeline — latency above 30ms would cause the target tracking loop to lose lock on a target moving at 50 km/h. | Test | interface, electro-optical-sensor-assembly, sil-2, session-621, idempotency:ifc-eosa-fcc-video-621 |
| IFC-REQ-024 | The interface between the OCU Control Processing Unit and the Fire Control Computer SHALL carry dual-channel video (thermal and daylight) from FCC to OCU CPU via 100BASE-TX Ethernet at a maximum bandwidth of 200 Mbps, and SHALL carry operator command packets (slew, arm, fire mode) from OCU CPU to FCC at 100Hz with latency not exceeding 5ms. Rationale: 200 Mbps Ethernet bandwidth is sufficient for 2x uncompressed thermal+day video at 50Hz. Command packet latency of 5ms ensures OCU CPU does not add perceptible latency to the weapon control path — combined with GHC 10ms and FCC processing, total operator-to-turret command latency stays within 25ms. | Test | interface, operator-control-unit, session-621, idempotency:ifc-ocu-fcc-621 |
| IFC-REQ-025 | The interface between the Tactical Data Link Processor and the external Battle Management System SHALL use MIL-STD-6016 (STANAG 5516) over a compatible radio transceiver at the vehicle external antenna, providing a minimum data throughput of 115.2 kbps for tactical message exchange. Rationale: IFC-REQ-006 specifies BMS data link requirements at system level; this interface requirement defines the physical/protocol boundary at the TDP output where it connects to the external radio. | Test | interface, communications-interface-unit, session-622, idempotency:ifc-tdp-bms-radio-622 |
| IFC-REQ-026 | The interface between the Video Compression and Network Interface Module and the Tactical Data Link Processor SHALL exchange compressed video metadata and target data over an internal GigabitEthernet link with a frame scheduling latency not exceeding 10ms. Rationale: The TDP must annotate video frames with target track data before BMS transmission; the 10ms scheduling latency ensures the combined end-to-end 200ms budget in IFC-REQ-006 is not exceeded by internal CIU processing. | Test | interface, communications-interface-unit, session-622, idempotency:ifc-vcni-tdp-internal-622 |
| IFC-REQ-027 | The interface between the CAN Bus and Serial Protocol Gateway and the Fire Control Computer SHALL provide GPS position and heading data over the internal RWS Ethernet (UDP, port 5000) at 10 Hz with a timestamp accuracy of better than 5ms relative to GPS time-of-validity. Rationale: IFC-REQ-004 requires GPS data at 10Hz for ballistic computation; the 5ms timestamp accuracy is necessary for lead angle calculations at slew rates up to 60 deg/s per SYS-REQ-003. | Test | interface, communications-interface-unit, session-622, idempotency:ifc-cpg-fcs-gps-622 |
| IFC-REQ-028 | The interface between the Power Distribution and Protection Module and the Safety Interlock System SHALL provide an always-on, non-load-shedded 28VDC supply rail at a minimum of 2A, with supply voltage maintained within 18-32VDC even during load shedding events on other subsystem branches. Rationale: The SIS must remain powered during all fault and load-shedding scenarios to maintain the safe state — de-energising the SIS power rail during any fault condition would prevent the safety function from executing. This is a functional safety requirement driven by IEC 61508 SIL 3 integrity of the SIS. | Test | interface, power-distribution-unit, sil-3, session-622, idempotency:ifc-pdpm-sis-always-on-622 |
| IFC-REQ-029 | The interface between the Power Monitor and Control Unit and the Fire Control Computer SHALL transmit power telemetry messages over RS-422 (38400 baud) using a defined message format containing per-branch voltage, current, and fault status at a minimum of 10 Hz. Rationale: FCS needs real-time power status to implement load priority algorithms during peak demand (e.g., disable OCU display rather than FCS during slew-and-fire). Message format and baud rate must be agreed at system integration. | Test | interface, power-distribution-unit, session-622, idempotency:ifc-pmcu-fcs-telemetry-622 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| ARC-REQ-001 | ARC: Safety Interlock System separated from Fire Control System — The weapon safety function (SIS) is implemented as a separate hardware subsystem from the fire control computation (FCS). Alternative: single FCS with software safety layer. Rejected because IEC 61508 SIL 3 requires diversity between the safety function and the control function. A software fault in the FCS must not be capable of defeating the firing interlock. Rationale: H-001, H-003, H-007 require SIL 3 for the firing chain. IEC 61508 Part 2 Table A.2 mandates diverse redundancy at SIL 3. Software-only safety in the same processor as the FCS cannot achieve the required PFD of <1E-7 per hour. | Analysis | architecture, safety, session-617, idempotency:arc-sis-separation-617 |
| ARC-REQ-002 | ARC: Turret Drive Assembly as mechanical subsystem — The TDA groups servo motors, encoders, brakes, gyro/IMU, and structural turret ring into one subsystem. Alternative: separate servo electronics from mechanical structure. Rejected because the servo control loop requires tight coupling between motor, encoder, and gyro — distributing these across subsystems would introduce interface latency in the 100 Hz control loop. Rationale: 100 Hz servo loop with 0.2 mrad accuracy requires deterministic timing between encoder read, gyro compensation, and motor command. Physical co-location minimises cable length and EMI susceptibility in the power drive circuits. | Analysis | architecture, session-617, idempotency:arc-tda-grouping-617 |
| ARC-REQ-003 | ARC: Electro-Optical Sensor Assembly as integrated sensor head — The EOSA integrates day camera, thermal imager, and laser rangefinder into a single gimballed head. Alternative: distributed sensors (e.g., fixed TI with separate gimballed day camera). Rejected because boresight coherence between sensors is critical for target handoff from detection (TI) to identification (day camera) to ranging (LRF). An integrated head maintains mechanical boresight alignment. Rationale: Target engagement requires seamless sensor handoff. Distributed sensors require active boresight maintenance algorithms and add latency. Integrated heads are standard in operational RWS (e.g., M151 PROTECTOR, CROWS) for this reason. | Analysis | architecture, session-617, idempotency:arc-eosa-integration-617 |
| ARC-REQ-004 | ARC: Separate Communications Interface Unit — External data link functions are isolated in a dedicated CIU rather than integrated into the FCS. Alternative: FCS handles all external comms. Rejected because tactical data link protocols (MIL-STD-6016) and video compression are processing-intensive and not safety-critical — mixing them into the SIL-rated FCS processor would require the entire FCS to be certified to the higher ASIL, increasing cost and schedule. Rationale: Separation of safety-critical (FCS, SIL 2 for computation) from non-safety-critical (CIU, SIL 0) processing reduces certification scope. The CIU can use commercial-grade video encoders without contaminating the FCS safety case. | Analysis | architecture, session-617, idempotency:arc-ciu-separation-617 |
| ARC-REQ-005 | ARC: Spring-applied electrically-released brakes — TDA uses spring-applied, electrically-released mechanical brakes on both axes. Alternative: electrically-applied brakes. Rejected because fail-safe behaviour requires brakes to engage on power loss. In the IED Strike scenario (H-006), cable damage de-energises the turret — spring-applied brakes automatically arrest turret motion without requiring power or software intervention. Rationale: H-002 (uncommanded turret motion, SIL 2) and H-006 (loss of control link) both require fail-safe braking. Spring-applied brakes are the only architecture that guarantees braking on total power loss. This is standard in safety-critical servo systems. | Analysis | architecture, safety, session-617, idempotency:arc-brake-failsafe-617 |
| ARC-REQ-006 | ARC: Safety Interlock System 1oo2D redundant channel architecture — The Dual-Channel Safety Controller implements 1oo2D (one-out-of-two with diagnostics) voting with independent processing channels and cross-channel monitoring. Alternative: single SIL-3 channel with increased reliability. Rejected because IEC 61508 SIL 3 for a category B subsystem (complex electronics) requires hardware fault tolerance HFT=1, meaning the safety function must tolerate one channel failure. The 1oo2D architecture achieves PFD ≤ 1×10⁻⁴/hr and enables online diagnostic coverage >90% required for SIL 3 compliance. Rationale: Architecture decisions are verified by design review inspection: confirm the 1oo2D redundant channel architecture is implemented as specified in the design documentation, safety case, and FMEDA. The architectural independence property is confirmed by physical inspection of channel separation, power supplies, and signal paths. | Inspection | architecture, safety, safety-interlock-system, sil-3, session-618, idempotency:arc-sis-1oo2d-618 |
| ARC-REQ-007 | ARC: Fire Control System decomposed into FCC, TTP, BCM, and WCI — The FCS is split into four components: Fire Control Computer (master controller), Target Tracking Processor (dedicated video processing FPGA/GPU), Ballistic Computation Module (software module on FCC), and Weapon Control Interface (hardware firing translator). Alternative: monolithic FCS with all functions in one SBC. Rejected because TTP requires hardware video acceleration incompatible with the FCC real-time OS; and WCI requires galvanic isolation from FCC to prevent firing solenoid transients corrupting the fire control computation. BCM is a software module on FCC (not a separate processor) because ballistic computation latency requirement of 20ms is achievable on FCC and adding a separate board adds interface latency and failure modes. Rationale: IFC-REQ-007 (EOSA video at 50Hz) requires >500Mbps processing bandwidth not achievable on the FCC general-purpose processor. Weapon solenoid drive emits 100V switching transients requiring 1500V optical isolation to protect FCC logic. BCM latency of 20ms (from SYS-REQ-002 engagement time budget) is achievable as a software thread on FCC without added inter-processor latency. | Analysis | architecture, fire-control-system, session-620, idempotency:arc-fcs-decomposition-620 |
| ARC-REQ-009 | ARC: Weapon and Ammunition Handling Assembly — Passive structural decomposition with dedicated recoil management. The WAHA separates weapon mounting (Weapon Cradle and Mount), recoil attenuation (Recoil Buffer and Damping System), ammunition storage (Ammunition Magazine Assembly), belt routing (Belt Feed and Transfer Mechanism), and barrel maintenance (Barrel Change Mechanism) into discrete components. This decomposition was chosen over a monolithic weapon mount because independent recoil management allows the turret structure to be designed to a 5kN transmitted force ceiling rather than 25kN peak, reducing turret mass by approximately 40%. Barrel change and magazine reload are isolated from load-bearing components to enable single-maintainer servicing without removing the cradle. Rationale: Structural decomposition decision with direct mass and maintainability implications. Separating recoil buffer from cradle reduces turret structural sizing and enables independent replacement of high-wear components. | Inspection | architecture, weapon-and-ammunition-handling, session-621, idempotency:arc-waha-621 |
| ARC-REQ-010 | ARC: Turret Drive Assembly — Dual-axis motion control with slip ring power transfer and dual-redundant encoders. Separate azimuth and elevation motor-gearbox units were chosen over a single gimbal drive because the differing travel ranges (360° azimuth vs 75° elevation) and torque requirements (500Nm vs 200Nm) require different gear ratios. The worm gearbox on the elevation axis provides self-locking at power loss, eliminating the need for a separate elevation hold brake. Dual-redundant encoders allow TDC and SIS to independently verify turret position — a single-encoder failure does not compromise the SIS-level drive inhibit function. Rationale: Dual-axis separation, worm drive elevation, and dual-redundant encoder selection are the three key architectural decisions for the TDA. All three have direct implications for safety (SIL 2 drive inhibit), performance (slew rate), and maintainability. | Inspection | architecture, turret-drive-assembly, sil-2, session-621, idempotency:arc-tda-621 |
| ARC-REQ-011 | ARC: Electro-Optical Sensor Assembly — Common stabilised platform with separate day and thermal channels. The EOSA mounts the thermal imager, daylight camera, and laser rangefinder on a single 2-axis stabilised gimbal (Sensor Head Stabilisation Platform). A separate stabilised gimbal per channel was rejected because it would increase sensor head mass and require separate bore-sight maintenance procedures. Co-mounting on a single gimbal allows simultaneous day/thermal imagery with guaranteed co-boresight alignment maintained at the platform level rather than requiring software registration. The SHSP stabilises to 0.1 mrad RMS — this is tighter than the turret drive pointing accuracy (0.1 mrad) to decouple sensor stabilisation from pointing control. Rationale: Co-mounted channels on single stabilised platform reduces mass and ensures mechanical bore-sight coherence across day, thermal, and LRF channels — critical for fire control accuracy and degraded-mode operation (SYS-REQ-011). | Inspection | architecture, electro-optical-sensor-assembly, sil-2, session-621, idempotency:arc-eosa-621 |
| ARC-REQ-012 | ARC: Operator Control Unit — Three-component architecture separating display (ODU), input (GHC), and processing (OCU CPU). This separation allows OCU CPU and GHC to operate from separate power supplies, ensuring gunner input is not lost if the display fails. The OCU CPU composites video overlay graphics locally, reducing bandwidth on the FCC-OCU link to video-only traffic. A monolithic touchscreen-only design was rejected because tactile trigger operation is essential under high-vibration or cold-weather conditions where touch accuracy degrades. Rationale: Separating display from processing enables display failure tolerance and reduces FCC-OCU interface bandwidth. Separate physical trigger (GHC) from touchscreen ensures reliable weapon control in adverse conditions. | Inspection | architecture, operator-control-unit, session-621, idempotency:arc-ocu-621 |
| ARC-REQ-013 | ARC: Power Distribution Unit decomposed into passive filter, SSPC distribution, DC-DC converters, and supervisory monitor — The PDU separates the passive EMC/surge protection function (Primary Power Input Filter) from the active switching and protection (Power Distribution and Protection Module) to allow independent testing and replacement. The DC-DC Converter Array is a separate module because secondary rail failure (12V/5V/3.3V) must not cascade to 28V distribution. The Power Monitor and Control Unit is isolated to a dedicated processor so power fault logging continues even if a SSPC control loop fails. Alternative: integrated power conditioning module. Rejected because a single integrated module would require full replacement for any single-function failure, increasing maintenance burden per SYS-REQ-015 LRU replacement. Rationale: Modular PDU architecture enables LRU-level replacement per SYS-REQ-015 (15-min barrel/LRU change) and ensures fault isolation between power functions. | Inspection | architecture, power-distribution-unit, session-622, idempotency:arc-pdu-decomposition-622 |
| Ref | Requirement | V&V | Tags |
|---|---|---|---|
| VER-100 | Verify IFC-REQ-025: Connect instrumented BMS simulator to TDP external interface; confirm MIL-STD-6016 message exchange at minimum 115.2kbps. Pass criterion: ≥1000 tactical messages exchanged with zero framing errors over a 60-minute test at maximum data rate. Rationale: Integration test verifying the physical radio interface meets BMS throughput requirements before field deployment. | Test | verification, communications-interface-unit |
| VER-REQ-001 | Verify SUB-REQ-001: Perform safety integrity analysis of the Dual-Channel Safety Controller design. Review channel independence, cross-channel data comparison logic, and PFD calculation against IEC 61508 SIL 3 PFD ceiling of 1e-4/hr. Pass criteria: PFD calculation shows margin ≥2x on the SIL 3 ceiling with documented assumptions. Rationale: 1oo2D redundancy cannot be fully verified by test alone — the statistical reliability claim requires analytical demonstration using FMEDA (Failure Modes, Effects, and Diagnostic Analysis). Pass criteria require a 2x margin to account for environmental derating and manufacturing variation. | Analysis | verification, safety-interlock-system, session-618, idempotency:ver-sub001-618 |
| VER-REQ-002 | Verify SUB-REQ-002: Inject arming command sequences in SIS test harness. Test cases: (a) key only — expect ARMED state NOT entered; (b) software ARM only — expect ARMED state NOT entered; (c) key then software ARM within 2s — expect ARMED state entered; (d) key then software ARM after 2s — expect ARMED state NOT entered; (e) simultaneous de-assert — expect revert to SAFE. Measure timing with oscilloscope. Pass criteria: all 5 test cases produce specified state in ≥100 trials. Rationale: Combinatorial testing of the two-action sequence covers the four possible input combinations and the timeout path. 100 trials per case provides statistical confidence at the level appropriate for a SIL 3 function. Oscilloscope measurement verifies the 2-second window is accurately implemented. | Test | verification, safety-interlock-system, sil-3, session-618, idempotency:ver-sub002-618 |
| VER-REQ-003 | Verify SUB-REQ-005: Simulate data link heartbeat dropout at SIS bench test harness. Inject heartbeat at 10Hz, then drop all packets. Measure time from last heartbeat to safe-state trigger assertion using oscilloscope capture. Repeat 50 times at -40°C, +20°C, +70°C. Pass criteria: safe-state trigger asserted within 200ms in all 150 trials across temperature range. Rationale: Temperature range testing is required because watchdog timer accuracy can drift with temperature in hardware implementations. 50 trials per temperature point is the minimum to detect systematic failures. Oscilloscope measurement provides millisecond-accurate timing independent of any logging latency. | Test | verification, safety-interlock-system, sil-2, session-618, idempotency:ver-sub005-618 |
| VER-REQ-004 | Verify SUB-REQ-008: Inject simulated faults into SIS test harness (channel mismatch, diagnostic monitor trip, output feedback discrepancy). For each fault type, measure time from fault injection to actuator de-energisation. Test latch behaviour by attempting software reset without deliberate operator sequence. Pass criteria: safe state reached within 100ms for all fault types; latch maintained until operator reset sequence confirmed by independent observer. Rationale: Fault injection testing at component level is required by IEC 61508 to verify the diagnostic response chain. Testing the latch behaviour independently (not relying on the system's own logging) eliminates the risk that a software fault could falsely indicate a successful reset. | Test | verification, safety-interlock-system, sil-3, session-618, idempotency:ver-sub008-618 |
| VER-REQ-005 | Verify IFC-REQ-011: Connect Arming Key Switch Assembly to SIS test harness. Rotate key through all 3 positions (SAFE, ARMED, MAINTENANCE-LOCKOUT). Measure voltage at controller input terminals. Simulate open-circuit (wire cut) and short-circuit faults. Verify continuity monitoring detects each fault within 10ms. Pass criteria: voltages within spec, faults detected within 10ms in ≥20 trials. Rationale: Direct measurement at controller terminals (not at key switch) verifies the full wiring harness including connectors. Open/short fault testing validates the 100Hz continuity monitoring function that supports the fault-safe-state budget. | Test | verification, safety-interlock-system, sil-3, session-618, idempotency:ver-ifc011-618 |
| VER-REQ-006 | Verify IFC-REQ-013: Apply 24VDC energise command from SIS test harness to Hardware Firing Interlock Relay. Test AND-gate logic by asserting channel A only, channel B only, and both channels. Measure relay de-energise time on command withdrawal with oscilloscope. Simulate relay weld (hold contacts closed) and verify feedback detection. Pass criteria: relay energises only on dual-channel assert; de-energises within 10ms; weld fault detected within one polling cycle. Rationale: AND-gate functional test is required to prove the dual-channel firing barrier. Relay weld testing addresses the critical failure mode that could defeat the firing barrier without detection. | Test | verification, safety-interlock-system, sil-3, session-618, idempotency:ver-ifc013-618 |
| VER-REQ-007 | The Hardware Firing Interlock Relay shall be verified to be a normally-open fail-safe relay by de-energising the coil and confirming the firing solenoid circuit reads open-circuit with resistance > 1MΩ. Test shall confirm relay reverts to normally-open state within 20ms of coil de-energisation. Rationale: SUB-REQ-003 specifies a normally-open fail-safe relay as a SIL 3 hardware safety measure. Physical verification by circuit-open measurement confirms the fail-safe state is achieved without software intervention. The 20ms criterion matches the SIS de-energise budget. | Test | session-619, qc, safety-interlock-system, sil-3, idempotency:ver-hfir-normally-open-619 |
| VER-REQ-008 | The Hardware Firing Interlock Relay shall be verified to de-energise and open the firing solenoid circuit within 10ms of receiving a FIRE-INHIBIT command, measured from command assertion to relay contact open state under maximum specified inductive load, across the full operating temperature range of -40°C to +70°C. Rationale: SUB-REQ-004 specifies 10ms de-energise time as the SIL 3 hardware safety timing budget. Testing under worst-case inductive load and temperature extremes confirms the relay meets the budget in all operational conditions, which is required for the overall SIS response time chain. | Test | session-619, qc, safety-interlock-system, sil-3, idempotency:ver-hfir-timing-619 |
| VER-REQ-009 | The Safe State Output Driver shall be verified to de-energise all actuator outputs and assert the SSOD-SAFE status signal within 50ms of Emergency Stop activation. Test shall inject E-stop signal and measure time-to-de-energise for each output channel (azimuth brake, elevation brake, firing inhibit relay) independently and simultaneously, confirmed by instrumented relay current measurement. Rationale: SUB-REQ-006 specifies 50ms SSOD response as the intermediate timing budget within the 200ms E-stop chain required by SYS-REQ-010. Individual channel measurement catches partial-failure modes where one output de-energises but another does not, which is critical for 1oo2D SIS architecture. | Test | session-619, qc, safety-interlock-system, sil-2, idempotency:ver-ssod-estop-619 |
| VER-REQ-010 | While the Arming Key Switch Assembly is in MAINTENANCE-LOCKOUT position, the Safety Interlock System shall be verified to maintain firing circuit inhibit and turret drive lockout via inspection of hardwired interlocks with key physically inserted in MAINTENANCE-LOCKOUT, confirmed by attempted fire command injection and turret drive command injection with zero actuation response. Rationale: SUB-REQ-007 requires a physical lockout that cannot be overridden by software — the inspection method with physical key insertion confirms the hardwired nature of the lockout. Software injection of fire and drive commands while the key is inserted is the only way to confirm software cannot override the physical interlock. | Inspection | session-619, qc, safety-interlock-system, sil-3, idempotency:ver-arming-lockout-619 |
| VER-REQ-011 | The Safety Interlock System shall be verified to operate correctly from supply voltages across the 22–32VDC nominal range. Test shall apply minimum (22VDC), nominal (28VDC), and maximum (32VDC) supply voltages and confirm all SIS functions (fire inhibit, E-stop response, lockout detection, BITE) operate within specification at each voltage level. Rationale: SUB-REQ-009 specifies 22–32VDC operating range reflecting MIL-STD-1275 (Characteristics of 28-Volt DC Electrical Systems in Military Vehicles) voltage tolerance for vehicle power buses. Testing the full range confirms the SIS does not have a latent voltage-induced failure mode that could cause spurious safe-state assertion or inhibit safe-state activation. | Test | session-619, qc, safety-interlock-system, sil-3, idempotency:ver-sis-power-619 |
| VER-REQ-012 | The interface between the Safety Interlock System and the Weapon and Ammunition Handling Assembly shall be verified by injecting an arming command through the SIS-WAHA interface and confirming the WAHA-FIRE-ENABLE signal is only asserted when all SIS enable conditions are met (arming key in ARMED, no E-stop, dual-channel agreement). Test shall also confirm WAHA-FIRE-ENABLE is de-asserted within 15ms of any SIS safe-state trigger. Rationale: IFC-REQ-009 defines the last physical gate before ammunition discharge. End-to-end interface testing from SIS enable logic to WAHA-FIRE-ENABLE signal confirms the hardware firing path matches the SIS design. The 15ms de-assertion timing test detects wiring faults or relay contact welding that would prevent safe-state from inhibiting fire. | Test | session-619, qc, safety-interlock-system, sil-3, idempotency:ver-sis-waha-619 |
| VER-REQ-013 | The interface between the Safety Interlock System and the Turret Drive Assembly shall be verified by injecting a drive command to both azimuth and elevation axes while the SIS DRIVE-INHIBIT signal is asserted, confirming zero turret motion. Test shall also confirm DRIVE-INHIBIT assertion latency is not greater than 20ms from SIS safe-state trigger, verified by simultaneous oscilloscope capture of SIS trigger and TDA drive enable line. Rationale: IFC-REQ-010 specifies a hardwired drive inhibit as a backup to the E-stop brake engagement. Verifying zero motion under commanded drive with inhibit asserted confirms the hardwired path is not software-bypassable, which is essential for the SIL 2 uncommanded turret motion hazard mitigation. | Test | session-619, qc, safety-interlock-system, sil-2, idempotency:ver-sis-tda-inhibit-619 |
| VER-REQ-014 | Verify SUB-REQ-013: Inject simulated 50Hz track data from TTP simulator, log FCC demand timestamps, compute achieved loop rate and latency. Pass: loop rate ≥50Hz, demand latency ≤20ms in all 1000 consecutive cycles under hardware-representative load. Rationale: HIL test using production FCC hardware with TTP simulator validates control loop timing under realistic software load. 1000-cycle sample provides statistical confidence on timing conformance. | Test | verification, fire-control-system, session-620, idempotency:ver-sub013-fcs-620 |
| VER-REQ-015 | Verify SUB-REQ-015: Apply step-change in LRF range measurement while logging BCM compute timestamp. Measure elapsed time to new ballistic correction output. Pass: latency ≤20ms in 100 consecutive trials across three ammunition profiles. Rationale: BCM latency directly affects hit probability (SYS-REQ-001). Test across three ammunition profiles confirms the ballistic model runtime is within budget for all supported munition types. | Test | verification, fire-control-system, session-620, idempotency:ver-sub015-bcm-620 |
| VER-REQ-016 | Verify SUB-REQ-017: With FCS in ARMED state and firing sequence active, assert SIS SAFE_STATE signal via hardware injection. Verify WCI CEASE assertion within 1ms and no further FIRE pulses within 100ms. Pass: CEASE latency ≤1ms, zero subsequent FIRE pulses, FCS enters INHIBITED state requiring explicit RE-ARM. Rationale: Safety verification for H-003 mitigation. Hardware injection test required at SIL 2 to confirm the software-level safing is not bypassed by race conditions or interrupt latency. The 1ms CEASE latency is tighter than the 5ms activation latency in SUB-REQ-016 because the safing path is interrupt-driven. | Test | verification, fire-control-system, sil-2, safety, session-620, idempotency:ver-sub017-sis-safing-620 |
| VER-REQ-017 | Verify IFC-REQ-015: Connect TTP to FCC over production PCIe bus. Inject 50Hz simulated track frames and measure received data rate and latency at FCC PCIe driver. Pass: received rate 50±0.5Hz, frame-to-FCC latency ≤1ms for 10,000 consecutive frames. Rationale: Integration test verifying PCIe latency budget for the TTP–FCC interface. 10,000-frame sample detects intermittent latency spikes that a short test would miss. Frame rate tolerance ±0.5Hz ensures the FCC control loop is not rate-starved by PCIe scheduling jitter. | Test | verification, fire-control-system, session-620, idempotency:ver-ifc015-ttp-fcc-620 |
| VER-REQ-018 | Verify IFC-REQ-018: Connect Barrel Change Mechanism barrel retention sensor to SIS test harness. Test barrel locked (0V) and unlocked (24V) states, verifying SIS reads correct logical state. Apply open-circuit and short-circuit fault conditions to wiring harness; confirm SIS detects fault within 50ms and enters BARREL-FAULT state. Pass: correct logic levels in ≥20 trials; faults detected within 50ms in all injected cases. Rationale: Direct measurement at SIS input terminals verifies the full wiring path. Open/short fault testing confirms active-low fail-safe convention is correctly implemented — an open circuit must not be interpreted as barrel-locked. | Test | verification, weapon-and-ammunition-handling, sil-2, session-621, idempotency:ver-ifc018-bcm-sis-621 |
| VER-REQ-019 | Verify IFC-REQ-019: Connect Ammunition Magazine Assembly to FCC integration bench. Log round-count messages at 1Hz over a 10-minute period with 60, 200, and 390 rounds loaded. Verify update rate is 1±0.1Hz and count accuracy is within ±5 rounds at each level. Pass: rate within tolerance for ≥95% of intervals; count within ±5 rounds at all three load levels. Rationale: Integration test at bench level using production AMA and FCC hardware. Rate tolerance testing confirms 1553B scheduling does not cause message dropout. Three load levels verify sensor accuracy across the full range, not just at nominal. | Test | verification, weapon-and-ammunition-handling, session-621, idempotency:ver-ifc019-ama-fcc-621 |
| VER-REQ-020 | Verify SUB-REQ-022: Mount production Weapon Cradle and Mount on structural test rig. Apply 25kN static load at weapon receiver interface. Measure alignment change at muzzle reference point before and after load application and after 500 load cycles simulating burst fire. Pass: alignment deviation ≤0.5 mrad after single load; no permanent deformation measurable by CMM after 500 cycles. Rationale: Static and fatigue testing under worst-case load conditions confirms structural and alignment requirements simultaneously. 500 cycles represents approximately 10 barrel lives of burst fire and is the acceptance criterion for structural fatigue. | Test | verification, weapon-and-ammunition-handling, sil-2, session-621, idempotency:ver-sub022-wcm-recoil-621 |
| VER-REQ-021 | Verify IFC-REQ-021: Connect FCC to TDC over production PCIe interface. Inject 50Hz aiming demand stream from FCC simulator, measure received demand rate and FCC-to-TDC actuator command latency using hardware timestamps. Repeat at 0°C and 40°C. Pass: received demand rate 50±0.5Hz, end-to-end latency ≤5ms for ≥9,999/10,000 consecutive packets. Rationale: Integration test of the FCC-TDC interface under production hardware conditions. Temperature testing confirms PCIe driver timing is not affected by thermal derating. 10,000-packet sample detects latency spikes that a short test would not reveal. | Test | verification, turret-drive-assembly, sil-2, session-621, idempotency:ver-ifc021-fcc-tdc-621 |
| VER-REQ-022 | Verify IFC-REQ-023: Connect EOSA to FCC integration bench. Stream simultaneous thermal and daylight channels at 50Hz. Measure frame-to-FCC buffer timestamp delta for 1000 consecutive frames on each channel. Verify channel synchronisation (simultaneous frames within 5ms). Pass: both channel latencies ≤30ms, synchronisation within 5ms, for ≥990/1000 frames. Rationale: Integration bench test using production EOSA and FCC hardware verifies the dual-channel video interface under realistic conditions. Frame synchronisation test confirms the day and thermal channels can be correlated by the FCS target tracker. | Test | verification, electro-optical-sensor-assembly, sil-2, session-621, idempotency:ver-ifc023-eosa-fcc-621 |
| VER-REQ-024 | Verify IFC-REQ-027: Inject GPS NMEA-0183 stream at 10 Hz on RS-422 input and measure UDP datagram delivery to Fire Control Computer subscriber. Pass criterion: all frames delivered within 5ms of GPS time-of-validity timestamp, zero missed frames over a 300-second test. Rationale: Integration test verifying GPS data distribution to FCS meets timing accuracy required for ballistic computation. | Test | verification, communications-interface-unit, session-622, idempotency:ver-ifc027-cpg-fcs-proper-622 |
| VER-REQ-025 | Verify IFC-REQ-028: Apply controlled load shedding to all non-SIS subsystem branches simultaneously; measure SIS supply rail voltage throughout. Pass criterion: SIS supply voltage remains within 18-32VDC with less than 500mV transient during full load shed event. Rationale: Safety function requires uninterrupted supply; test confirms the always-on SIS branch is electrically independent from load-shedded branches. | Test | verification, power-distribution-unit, sil-3, session-622, idempotency:ver-ifc028-sis-always-on-622 |
| VER-REQ-026 | Verify SUB-REQ-039: Inject short-circuit fault on one SSPC output branch; measure time to isolation and monitor all other output branches. Pass criterion: faulted branch isolated within 10ms, all other branches remain within ±5% of nominal voltage throughout fault event. Rationale: SSPC fault isolation time is critical to prevent safety-critical subsystem power interruption during fault conditions. | Test | verification, power-distribution-unit, session-622, idempotency:ver-sub039-sspc-isolation-622 |
| VER-REQ-031 | Verify IFC-REQ-016: On integrated FCS test bench, inject synthetic LRF range (1000m), target angular velocity (5 mrad/s), and IMU data at 100Hz; measure BCM azimuth/elevation correction return latency. Pass criterion: BCM correction returned within 20ms of last input update across 1000 consecutive cycles with no missed responses. Rationale: Hardware-in-the-loop test at the FCC-BCM PCIe interface is the only way to verify sub-20ms latency under realistic computational load; simulation cannot confirm PCIe scheduling jitter. | Test | verification, fire-control-system, session-623, idempotency:ver-ifc016-fcc-bcm-623 |
| VER-REQ-032 | Verify IFC-REQ-017: Connect FCC and WCI via RS-422; transmit FIRE, CEASE, and SAFE command sequences at 115200 baud with 16-bit CRC; measure end-to-end command latency and verify round-counter and fault-status telemetry at 10Hz. Pass criterion: all commands acknowledged within 1ms, CRC check passes on 10,000 consecutive frames, telemetry rate measured ≥10Hz over 300-second test. Rationale: The 1ms end-to-end command latency is the hardware interlock response budget—only physical bench test with production RS-422 hardware can confirm actual propagation and interrupt service timing. | Test | verification, fire-control-system, session-623, idempotency:ver-ifc017-fcc-wci-623 |
| VER-REQ-033 | Verify IFC-REQ-020: Mount weapon assembly at full traverse extremes (0°, 90°, 180°, 270° azimuth; -20° and +55° elevation); measure belt tension at feed port using calibrated load cell. Pass criterion: tension within 15N–25N at all 8 test positions, sustained across 10 simulated ammunition load cycles. Rationale: Belt tension limits are mechanically derived from feed mechanism geometry across the traverse envelope; only physical integration testing can validate tension variation due to gravity, belt weight, and cable routing at the limit positions. | Test | verification, weapon-ammunition-handling, session-623, idempotency:ver-ifc020-belt-tension-623 |
| VER-REQ-034 | Verify IFC-REQ-022: Drive azimuth slip ring through 50,000 continuous rotation cycles under rated load (24VDC at 20A, MIL-STD-1553B 1Mbps, 100BASE-TX Ethernet, ±10V analogue at 10kHz). Measure contact resistance and signal attenuation at 0, 10k, 25k, and 50k rotation milestones. Pass criterion: contact resistance ≤10mΩ and signal attenuation ≤3dB at all checkpoints. Rationale: Slip ring contact degradation is a wear-out failure mode unique to rotating machinery; only endurance testing through the rated 50,000-rotation life can confirm resistance and attenuation compliance at end-of-life, which simulation cannot predict. | Test | verification, turret-drive-assembly, session-623, idempotency:ver-ifc022-slip-ring-623 |
| VER-REQ-035 | Verify IFC-REQ-024: On integrated OCU-FCS bench, stream dual-channel video (thermal + daylight) at maximum bandwidth while injecting operator command packets at 100Hz; measure end-to-end command latency from OCU to FCC. Pass criterion: command latency ≤5ms at 95th percentile over 10-minute sustained test, total video bandwidth ≤200 Mbps as measured by network analyser, zero command packet drops. Rationale: The 5ms latency budget is derived from the engagement timeline—operator reaction time is the gating factor. Only integrated test under concurrent video load confirms latency is not crowded out by video bandwidth on the shared 100BASE-TX link. | Test | verification, operator-control-unit, fire-control-system, session-623, idempotency:ver-ifc024-ocu-fcc-623 |
| VER-REQ-036 | Verify SUB-REQ-052: supplementary verification covering WCI SAFE state transition. On FCC hardware, confirm that watchdog starvation results in WCI safe assertion via the watchdog-initiated output path, distinct from direct de-energisation. This test is superseded by VER-REQ-044 which covers the consolidated SUB-REQ-052 requirement. Rationale: Watchdog hardware timeout is a SIL-2 safety function; software simulation cannot verify the hardware timer fires and the WCI responds within the 100ms budget under actual hardware scheduling and interrupt latency. | Test | verification, fire-control-system, sil-2, session-623, idempotency:ver-sub020-fcc-watchdog-623, reqs-eng-session-641, superseded-by-VER-REQ-044 |
| VER-REQ-037 | Verify SUB-REQ-021: Apply 20V, 28V, and 32VDC to FCC power input; verify FCC remains operational and current draw ≤8A steady-state at each voltage. Apply power-on surge at 20V and 32V; verify peak current ≤15A for ≤50ms using calibrated current clamp at 10kHz sample rate. Pass criterion: stable operation at all three voltages, surge current within spec on all 5 repeated power-on cycles per voltage. Rationale: MIL-STD-1275E operating range and surge current limits protect FCC against vehicle electrical transients; bench test across the full voltage range with surge measurement is required to confirm the power supply design margin before environmental qualification. | Test | verification, fire-control-system, session-623, idempotency:ver-sub021-fcc-power-623 |
| VER-REQ-038 | Verify SUB-REQ-042: Apply 22V, 28V, and 32VDC to DCSC power input; verify DCSC remains in safe-state-ready condition and current draw ≤500mA per channel. Apply power-on transient; verify inrush ≤2A for ≤20ms using current probe at 50kHz sample rate. Pass criterion: stable operation at all three voltages, no spurious safe-state assertions, inrush within spec on 5 consecutive power cycles. Rationale: SIL-3 component power verification requires physical test across MIL-STD-1275E range to confirm no false safe-state assertions from voltage transients—analysis alone is insufficient for SIL-3. | Test | verification, safety-interlock-system, sil-3, session-623, idempotency:ver-sub042-dcsc-power-623 |
| VER-REQ-039 | Verify SUB-REQ-043: Apply 18V, 24V, and 30VDC to HFIR coil; measure coil current, operate time, and release time using oscilloscope. Pass criterion: coil current ≤200mA at all three voltages, operate time ≤10ms, release time ≤5ms across 10 consecutive switching cycles at each voltage. Rationale: Relay operate and release times at voltage extremes determine whether the interlock de-energises before a complete burst cycle—physical test is required since relay timing varies with coil voltage and contact wear. | Test | verification, safety-interlock-system, sil-3, session-623, idempotency:ver-sub043-hfir-power-623 |
| VER-REQ-040 | Verify SUB-REQ-044: Command TDA elevation drive from -20° to +60° under maximum weapon load on a locked azimuth test fixture. Measure angle achieved at drive limits and slew rate between limits. Pass criterion: full angular range achieved within ±0.5° and slew rate ≥30°/s throughout range. Rationale: Integration test confirming the elevation axis meets both the angular range and rate requirements of SYS-REQ-003, under load conditions representative of the heaviest qualified weapon. | Test | verification, turret-drive-assembly, session-624, idempotency:ver-sub044-tda-elev-624 |
| VER-REQ-041 | Verify SUB-REQ-049: Mount RWS on a motion simulator generating 6-DOF vehicle motion profiles at 30 km/h terrain traverse. Measure EOSA sensor line-of-sight error using a reference collimator over a 120-second test run. Pass criterion: LOS residual error < 0.1 mrad RMS throughout test. Rationale: Motion simulator test replicates actual vehicle dynamics while enabling precision LOS measurement against a fixed reference, which cannot be achieved in field conditions. 120-second duration captures multiple stabilisation transients. | Test | verification, electro-optical-sensor-assembly, session-624, idempotency:ver-sub049-eosa-gyrostab-624 |
| VER-REQ-042 | Verify SUB-REQ-048: Power-cycle the FCS three times and observe the automated boresight routine output each time. Then introduce a deliberate 1.2 mrad misalignment and confirm the FCS inhibits firing. Pass criterion: routine completes within 30 seconds of power-on, alignment within 0.5 mrad on all three cycles, firing inhibited at 1.2 mrad. Rationale: Power-cycle repetition tests routine reliability across start-up states. Deliberate misalignment injection directly validates the 1.0 mrad inhibit threshold required by SUB-REQ-048. | Test | verification, fire-control-system, session-624, idempotency:ver-sub048-fcc-boresight-624 |
| VER-REQ-043 | Verify SUB-REQ-046: Conduct Reliability Demonstration Test per MIL-HDBK-781A Method 9 using accelerated life test schedule. Accept if observed MTBCF is ≥500 hours at 80% confidence. Supplement with Design FMEA (per MIL-STD-1629A) predicting FCS MTBCF against parts count data. Rationale: Demonstration testing to MIL-HDBK-781A is the accepted method for reliability compliance claims. FMEA supplements test data where sample size is insufficient for statistical significance at 80% confidence. | Analysis | verification, fire-control-system, reliability, session-624, idempotency:ver-sub046-fcs-mtbcf-624 |
| VER-REQ-044 | Verify SUB-REQ-052: On FCC hardware test rig, simulate watchdog starvation by halting the fire control application; measure time from last watchdog service to WCI firing output de-energisation and HMI fault flag assertion. Pass criterion: WCI firing output de-energised within 100ms ±5ms and HMI fault flag visible within 500ms, in 10 consecutive trials at -40°C and +70°C operating extremes. Rationale: Direct hardware test of the watchdog timeout boundary at operating temperature extremes. The ±5ms tolerance accommodates crystal oscillator drift without invalidating the safety margin. Temperature extremes verify the RC timing network used in watchdog hardware is within tolerance across the vehicle thermal envelope. | Test | session-625, verification, fire-control-system, idempotency:ver-fcc-watchdog-session-625, reqs-eng-session-641 |
| VER-REQ-045 | Verify SUB-REQ-053: Interrupt WCI-FCC communication link while WCI firing output is in energised state. Measure time from comms loss to firing solenoid de-energisation via oscilloscope on solenoid coil. Pass criterion: de-energise ≤10ms in 20 consecutive trials across power supply range 22-32VDC. Rationale: Oscilloscope measurement directly validates the fail-safe timing requirement. Testing across 22-32VDC supply range verifies the output driver and relay operate within spec at vehicle battery voltage extremes. 20 trials provide statistical confidence that the result is not a timing anomaly. | Test | session-625, verification, fire-control-system, idempotency:ver-wci-failsafe-session-625 |
| VER-REQ-046 | Verify SUB-REQ-055: Inspect the FCS LRU against its approved mechanical drawing. Measure enclosure volume (displacement method) and mass (calibrated scale). Verify 4-point mounting interface dimensions against NATO STANAG 4059 template. Inspect MIL-DTL-38999 Series III connector type and pin count. Pass criteria: volume not exceeding 8L, mass not exceeding 4.5 kg, mounting interface conformant, connector model verified. Rationale: Physical embodiment requirements for LRUs are verified by inspection against the as-built hardware; dimensional and mass compliance cannot be assured by analysis alone for procurement and acceptance. | Inspection | verification, fire-control-system, session-626, idempotency:ver-sub-055-physical-v2-626 |
| VER-REQ-047 | Verify SUB-REQ-056: Connect a link simulator to the CAN Bus and Serial Protocol Gateway; inject heartbeat at 10 Hz, then drop the heartbeat. Measure time from last heartbeat to LINK-LOSS signal assertion on SIS interface. Repeat 10 times. Pass criteria: LINK-LOSS asserted within 200ms of heartbeat gap exceeding 100ms on all 10 trials. Rationale: Timing compliance for link-loss detection is safety-critical (feeds the 500ms SYS-REQ-009 budget) and must be verified by hardware-in-the-loop test to account for real bus latency and gateway processing time. | Test | verification, communications-interface-unit, session-626, idempotency:ver-sub-056-link-detection-626 |
| VER-REQ-048 | Verify SUB-REQ-057: On an OCU test bench connected to FCS simulator, inject a thermal imager fault signal. Measure elapsed time from fault injection to amber status icon display on ODU. Verify icon appearance, colour (amber), and text identifies 'Thermal Imager' as the failed subsystem. Pass criteria: annunciation within 500ms, amber icon displayed, correct subsystem named in status bar. Rationale: Annunciation latency and content must be verified end-to-end with a realistic fault injection on an integrated test bench, as display timing depends on the OCU CPU processing pipeline and display update rate. | Test | verification, operator-control-unit, session-626, idempotency:ver-sub-057-degraded-annunciation-626 |
| VER-REQ-049 | Verify SUB-REQ-058: Mount RWS on a 6-DOF motion simulator generating cross-country vibration profiles per MIL-STD-810H (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems) Method 514.8 at 30 km/h equivalent. Command static target position. Sample weapon pointing error at 1 kHz for 60 seconds. Compute RMS pointing error. Pass criteria: pointing error not exceeding 0.1 mrad RMS across the 60-second test window. Rationale: Stabilisation accuracy under vehicle motion is a safety-relevant performance parameter that cannot be verified by analysis — hardware-in-the-loop testing on a motion simulator is the only method that exercises the actual closed-loop dynamics of the TDC with real sensor and actuator characteristics. | Test | verification, turret-drive-assembly, session-626, idempotency:ver-sub-058-stabilisation-626 |
| VER-REQ-051 | Verify : Inject 1000 valid fire solution input frames on BCM test bench; then inject 100 frames with corrupted CRC. Verify: (a) all valid frames accepted and processed within 20ms; (b) all corrupt frames rejected within one processing cycle with DATA_INTEGRITY_FAULT asserted on HMI output within 500ms. Pass criteria: 0 valid frames rejected, 0 corrupt frames accepted. Rationale: End-to-end test at BCM input validates both the integrity check logic and the fault reporting path. Using 100 corrupt injections ensures statistical coverage across CRC bit-error patterns. | Test | verification, fire-control-system, sil-2, session-627, idempotency:ver-bcm-data-integrity-627 |
| VER-REQ-052 | Verify SUB-REQ-050: Subject FCS LRU to MIL-STD-810H Method 507.6 (Humidity) and Method 514.8 (Vibration) test profiles. Pass criteria: LRU powers on and executes full BIT without fault after humidity exposure; LRU maintains pointing loop accuracy within 0.1 mrad RMS during and after vibration profile. Rationale: Environmental qualification by physical test is the only method that validates hermetic seal integrity and structural robustness under representative vehicle-mounted vibration. Analysis cannot substitute for physical exposure at this qualification stage. | Test | verification, fire-control-system, sil-2, session-627, idempotency:ver-sub050-fcs-env-qual-627 |
| VER-REQ-053 | Verify SUB-REQ-051: Mount HFIR sample on MIL-STD-202 salt-spray test rig; expose for 1000 hours per Method 101. Then actuate relay for 50,000 cycles. Measure contact resistance with 4-wire milliohmmeter after test. Pass criteria: contact resistance ≤50mΩ and relay operational on all test samples. Rationale: Contact resistance degradation under salt spray and mechanical cycling cannot be predicted analytically for electromechanical relays in defence environments; physical endurance testing per MIL-STD-202 is required for SIL-3 hardware qualification. | Test | verification, safety-interlock-system, sil-3, session-627, idempotency:ver-sub051-hfir-contacts-627 |
| VER-REQ-054 | Verify SUB-REQ-054: On PDU bench with six SSPC channels at nominal load, inject a hard short on Channel 1 while measuring voltage on Channels 2-6. Pass criteria: Channel 1 trips within 1ms; Channels 2-6 maintain voltage within 5% of nominal with no interruption. Rationale: SSPC fault isolation must be verified under representative load conditions; analytical models of trip behaviour cannot account for PCB parasitics and component tolerance stacking. Test directly confirms the 1ms isolation criterion that protects safety-critical loads. | Test | verification, power-distribution-unit, session-627, idempotency:ver-sub054-pdu-sspc-627 |
| VER-REQ-056 | Verify SUB-REQ-060: Subject assembled TDA to MIL-STD-810H Method 501.7 (High Temperature) and 502.7 (Low Temperature) soak cycles then IP67 ingress test (1m immersion, 30min) per IEC 60529. Pass: all drive axes operational post-test, no water ingress on internal inspection, encoder error within SUB-REQ-058 specification. Rationale: IP67 sealing and temperature range for the TDA drive mechanism must be verified by test because seal integrity under thermal cycling and water pressure cannot be confirmed by analysis of bearing datasheets alone. | Test | verification, turret-drive-assembly, environmental, session-628, idempotency:ver2-sub060-tda-env-628 |
| VER-REQ-057 | Verify SUB-REQ-061: Subject SIS Dual-Channel Safety Controller to MIL-STD-810H Method 501.7 (High Temperature, +70°C) and Method 502.7 (Low Temperature, -40°C) soak, then IP65 water jet test per IEC 60529. During temperature test: inject firing command on both channels and confirm SAFE_STATE output correct. Pass: safety function maintained at temperature extremes; no water ingress after IP65 test. Rationale: IEC 61508 SIL 3 requires the safety function to be verified under all operational conditions including temperature extremes. Test at -40°C and +70°C is the only method to confirm relay contact resistance and diagnostic monitor thresholds remain within SIL 3 PFD budget under thermal stress. | Test | verification, safety-interlock-system, environmental, sil-3, session-628, idempotency:ver-sub061-sis-env-628 |
| VER-REQ-058 | Verify SUB-REQ-062: Obtain MIL-PRF-39016 qualification test report for selected relay component. Measure contact resistance at -55°C, +25°C, and +125°C using 4-wire kelvin method with relay coil energised and de-energised. Pass: contact resistance ≤100mΩ at all temperatures; coil-to-contact isolation ≥500VDC at +25°C. Rationale: MIL-PRF-39016 qualification test report provides established reliability screening data required for SIL 3 PFD calculation. Contact resistance verification across temperature range confirms the relay remains within the firing circuit voltage budget at thermal extremes. | Inspection | verification, safety-interlock-system, hardware-firing-interlock-relay, sil-3, session-628, idempotency:ver-sub062-hwilk-relay-628 |
| VER-REQ-059 | Verify SUB-REQ-014: Mount a calibrated thermal target (0.5K IR contrast delta-T above background) at 1000m in controlled environment. Command the Target Tracking Processor to acquire and track the target. Measure track error centroid deviation from target centre over 30-second hold. Pass criteria: track error does not exceed 0.1 mrad RMS on 5 consecutive acquisitions in both stationary and 2 deg/s slew conditions. Rationale: Auto-track accuracy on minimum-contrast targets defines the boundary condition for engagement probability in degraded IR conditions. Only physical test against a calibrated thermal target replicates the actual signal-to-noise environment; analysis cannot validate the IR image processing algorithms against real scene clutter. | Test | verification, fire-control-system, sil-2, session-629, idempotency:ver-sub014-ttp-autotrack-629 |
| VER-REQ-060 | Verify SUB-REQ-018: Disable the thermal imaging channel in the FCS software and command engagement of a 2m x 2m visual contrast target at 200m range. Verify that the day camera auto-track remains locked and that the system reports Degraded Mode status on the operator display. Pass criteria: track maintained at 200m with day camera only; Degraded Mode status flag active; no unintended mode transitions observed over 60-second hold. Rationale: Degraded mode operation with failed thermal channel is a ConOps scenario where the day camera provides the only targeting solution. SIL-2 classification requires that the degraded mode be verified to maintain a safe engagement capability without creating new hazards such as missed mode transition annunciation. | Test | verification, fire-control-system, sil-2, degraded, session-629, idempotency:ver-sub018-degraded-mode-629 |
| VER-REQ-061 | Verify SUB-REQ-019: Power-cycle the FCS from cold start and monitor the operator display during BIT execution. Measure time from power-on to BIT complete status. Deliberately inject a fault (disconnect WCI cable) and verify BIT reports the correct fault code. Pass criteria: BIT complete within 30 seconds; all safety-interlocked functions reported; injected WCI fault detected and annunciated with correct code. Rationale: BIT is the primary mechanism for detecting latent failures in safety-interlocked functions before engagement. The 30-second BIT duration is a ConOps constraint — operators require system readiness within that window from cold start. Fault injection testing verifies that BIT fault codes are accurate and not masked. | Test | verification, fire-control-system, session-629, idempotency:ver-sub019-fcs-bit-629 |
| VER-REQ-062 | Verify SUB-REQ-023: Mount the weapon system on a force measurement platform with calibrated load cells on the mounting interface. Fire 10 rounds at full cyclic rate. Record peak force transmitted to the mounting interface for each shot. Pass criteria: peak transmitted force does not exceed 5 kN on any shot; no structural distress or fastener loosening observed post-test. Rationale: Recoil force transmitted to the turret ring and vehicle interface is a safety requirement — 5 kN is the structural design limit of the mounting interface per the vehicle integration specification. Analysis alone cannot validate the non-linear compliance of the hydraulic buffer under dynamic firing conditions; physical test is required to confirm the damping characteristic against the actual weapon system impulse. | Test | verification, weapon-and-ammunition-handling, sil-2, session-629, idempotency:ver-sub023-recoil-buffer-629 |
| VER-REQ-063 | Verify SUB-REQ-028: Command full 360-degree azimuth rotation at maximum slew rate with weapon at neutral elevation. Measure continuous slew velocity using shaft encoder output at 1 kHz sampling. Also measure azimuth position accuracy after commanding to 5 known positions (0, 90, 180, 270, 360 degrees). Pass criteria: maximum slew rate not less than 60 deg/s sustained; position error not exceeding 1.0 mrad at all test positions; no mechanical binding or encoder dropout. Rationale: 360-degree continuous traverse without a hard stop is a defining capability of the RWS that distinguishes it from limited-traverse systems. SYS-REQ-003 requires 60 deg/s minimum; any reduction below this prevents engagement of fast-moving targets. The slip ring assembly that enables unlimited traverse must be verified not to introduce binding or electrical dropout that would interrupt the azimuth control loop. | Test | verification, turret-drive-assembly, session-629, idempotency:ver-sub028-azimuth-drive-629 |
| VER-REQ-064 | Verify SUB-REQ-034: Connect a MIL-STD-6016 (STANAG 5516) compliant BMS simulator to the Tactical Data Link Processor external port. Command the TDP to transmit position reports. Measure message transmission rate using a protocol analyser on the link. Also inject a received track message and verify decode latency. Pass criteria: position reports transmitted at minimum 1 Hz; received track decode latency not exceeding 200 ms; all messages conform to MIL-STD-6016 message format with zero malformed messages over 5-minute test run. Rationale: MIL-STD-6016 (STANAG 5516) compatibility is a NATO interoperability requirement that cannot be verified by inspection of the implementation alone; only protocol-level test with a conformant BMS simulator confirms proper message encoding, timing, and format compliance. The 1 Hz minimum rate is the SYS-REQ-013 threshold derived from BMS track refresh rate requirements. | Test | verification, communications-interface-unit, session-629, idempotency:ver-sub034-tdp-datalink-629 |
| VER-REQ-065 | Verify SUB-REQ-010: Apply 20V, 28V, and 32VDC to the TDA power input port using a programmable DC supply. Measure input current at each voltage. Verify drive motor and encoder functions are operational at all voltages. Pass criteria: TDA operates correctly across 20-32V range; maximum current draw does not exceed the specified limit at 28V nominal; no loss of encoder function at voltage boundaries. Rationale: MIL-STD-1275E (Characteristics of 28-Volt DC Electrical Systems in Military Vehicles) defines the vehicle bus voltage transient environment. Verification across the full 20-32V operating range is required to confirm that TDA servo control does not fail at voltage extremes that occur during vehicle engine start or high-current switching events. | Test | verification, turret-drive-assembly, power, session-629, idempotency:ver-sub010-tda-power-629 |
| VER-REQ-066 | Verify SUB-REQ-024: Using a single trained maintainer wearing standard field PPE (including heat-resistant gloves), execute the barrel change procedure on a weapon system at operating temperature (barrel warmed to 150 degrees C minimum by firing or heat gun simulation). Time from initiating the barrel release to installation of the replacement barrel and system ready status. Pass criteria: complete procedure achievable within 15 minutes by the single maintainer; no special tools required beyond standard tool kit; replacement barrel locked and functional test passed. Rationale: 15-minute barrel change is a SYS-REQ-015 maintainability requirement driven by the tactical need to restore fire capability within the window of a brief operational pause. Demonstration by a single trained maintainer under realistic conditions (hot barrel, PPE, time pressure) validates the procedure is feasible as designed, not just theoretically achievable. | Demonstration | verification, weapon-and-ammunition-handling, session-629, idempotency:ver-sub024-barrel-change-629 |
| VER-REQ-067 | Verify SUB-REQ-011: Apply 20V, 28V, and 32VDC to the FCS power input using a programmable supply. Verify fire control processor, sensor interfaces, and Weapon Control Interface functions are all operational at each voltage point. Pass criteria: FCS BIT passes at all three voltage test points; no watchdog resets; no loss of sensor or WCI interface communication. Rationale: FCS contains the SIL-2 fire control processor and the Weapon Control Interface which must remain functional across the MIL-STD-1275E vehicle bus operating range. A voltage-induced reset of the fire control processor during a firing sequence is a hazardous event that could produce an unintended burst. | Test | verification, fire-control-system, power, sil-2, session-629, idempotency:ver-sub011-fcs-power-629 |
| VER-REQ-068 | Verify SUB-REQ-016: Inject a FIRE command from FCS simulator to Weapon Control Interface (WCI) using a calibrated signal generator. Measure time from FIRE command assertion to trigger solenoid activation using an oscilloscope connected to the solenoid drive line. Pass criteria: solenoid activation latency ≤5ms on 10 consecutive trials at nominal and boundary supply voltages (22V, 28V, 32VDC). Rationale: Trigger actuation latency is the direct cause of muzzle timing error at slew rates up to 40°/s; a 5ms error at 40°/s elevation rate produces 0.03° muzzle deflection, degrading first-round hit probability below the SYS-REQ-001 threshold of P_h ≥ 0.7. Functional test at three supply voltage points verifies compliance under MIL-STD-1275E operating range extremes. | Test | verification, fire-control-system, sil-2, session-629, idempotency:ver-sub016-wci-trigger-629 |
| VER-REQ-069 | Verify SUB-REQ-063: Mount instrumented weapon system to vehicle test rig moving at 15 km/h on representative terrain; command engagement against 2m x 2m target at 200m. Record 50 fire events. Pass criterion: first-round hit count ≥ 35 (P_h ≥ 0.70). Log IMU correction rate; confirm ≥ 100Hz during all fire events. Rationale: Statistical confidence on P_h ≥ 0.70 requires minimum 35 hits in 50 shots (95% CI lower bound ~0.64). Dynamic platform test is mandatory because bench-static boresight testing cannot exercise the stabilisation compensation path. | Test | verification, fire-control-system, sil-2, session-630, idempotency:ver-sub063-fcs-stabilisation-630 |
| VER-REQ-070 | Verify SUB-REQ-064: Command TDA through full 360 degree azimuth sweep and -20 to +60 degree elevation sweep at rated slew rates with ice loading applied per MIL-STD-810H Method 521.4. Measure achieved slew rate at 10 equidistant points. Pass criterion: slew rate not less than 60 deg/s azimuth and 40 deg/s elevation at all measurement points. Rationale: The TDA kinematic envelope under worst-case load is only verifiable by physical test with applied ice mass; analysis alone cannot account for bearing friction variation under frozen lubricant conditions. | Test | verification, turret-drive-assembly, sil-2, session-630, idempotency:ver-sub064-tda-traverse-630 |
| VER-REQ-071 | Verify SUB-REQ-066: Connect CIU to BMS simulator via MIL-STD-6016 compatible radio link. Record 3600 position messages over 60 minutes and 900 video frames per minute. Pass criterion: position message rate not less than 1 per second, video delivery rate not less than 15 fps, zero dropped messages in 3600-message sequence. Rationale: BMS data link throughput and video delivery rate are integration-testable requirements that cannot be verified by inspection or analysis. | Test | verification, communications-interface-unit, session-630, idempotency:ver-sub066-ciu-milstd6016-630 |
| VER-REQ-072 | Verify SUB-REQ-067: Place system in Maintenance mode, then command transition to Operational mode. Record time from mode command to BORESIGHT-VERIFIED status. Measure optical axis alignment between day camera and thermal imager outputs. Pass criterion: BORESIGHT-VERIFIED status achieved within 5 minutes; optical axes aligned to within 0.1 mrad. Rationale: Automated boresight verification is a time-critical function for operational readiness; the 5-minute constraint cannot be verified by design review alone. | Test | verification, fire-control-system, maintenance, session-630, idempotency:ver-sub067-fcs-boresight-630 |
| VER-REQ-073 | Verify SUB-REQ-068: Inspect Dual-Channel Safety Controller LRU against approved mechanical drawing. Confirm separate PCBs for each channel, electrically-shielded common housing, sealing to STANAG 4370 AECTP 400 requirements. Pass criterion: as-built configuration matches approved drawing; channel separation confirmed by continuity check; seal integrity confirmed by IP67 test. Rationale: Physical separation of dual-channel safety-critical hardware is a SIL 3 architectural requirement that must be verified by inspection; it cannot be tested by functional means alone. | Inspection | verification, safety-interlock-system, sil-3, session-630, idempotency:ver-sub068-dcsc-physical-lru-630 |
| VER-REQ-074 | Verify SUB-REQ-065: Disable thermal imager LRU while system is in operational mode. Measure time from fault detection to manual tracking mode activation using day camera. Confirm day-camera output at 1920x1080 at 15fps with automatic exposure active. Pass criterion: mode switch completes within 5 seconds of thermal imager fault; video output confirmed at specification. Rationale: The 5-second degraded-mode switchover is a safety-relevant performance constraint that must be verified under live fault injection; the switchover logic cannot be validated by analysis alone. | Test | verification, electro-optical-sensor-assembly, fire-control-system, degraded-mode, session-630, idempotency:ver-sub065-degraded-day-camera-630 |
| VER-REQ-075 | Verify IFC-REQ-001: Inspect the RWS turret ring mounting against the NATO STANAG 4569 Level IV interface drawing. Confirm bolt pattern, ring diameter, and load path meet the specification. Pass criterion: as-built configuration matches the approved interface drawing within specified tolerances. Rationale: NATO STANAG 4569 turret ring compliance is a hard physical interface constraint; only inspection against the approved drawing can confirm conformance of the manufactured part. | Inspection | verification, interface, session-631, idempotency:ver-ifc001-turret-ring-631, idempotency:ver-ifc001-turret-ring-631 |
| VER-REQ-076 | Verify IFC-REQ-002: Apply 18VDC, 28VDC, and 32VDC to the RWS power input. Record input current, output regulation, and system functional status at each voltage. Pass criterion: full system functionality at all three voltages; no BIT faults on power subsystem channel. Rationale: MIL-STD-1275E (Characteristics of 28 Volt DC Electrical Systems in Military Vehicles) compliance requires live testing across the full operating range; datasheet analysis alone cannot verify system-level behaviour at voltage extremes. | Test | verification, interface, power, session-631, idempotency:ver-ifc002-power-631, idempotency:ver-ifc002-power-631 |
| VER-REQ-077 | Verify IFC-REQ-003: Connect RWS to a vehicle platform simulator transmitting CAN frames at 500 kbps per ISO 11898 (Road vehicles - Controller area network). Inject vehicle motion data and power management commands. Confirm RWS responds to all defined message IDs within the specified latency. Pass criterion: all required messages acknowledged within 20ms. Rationale: CAN bus message exchange is a functional requirement that must be tested with live traffic at the interface; the message set and timing are not verifiable by inspection of wiring alone. | Test | verification, interface, can-bus, session-631, idempotency:ver-ifc003-canbus-631, idempotency:ver-ifc003-canbus-631 |
| VER-REQ-078 | Verify IFC-REQ-004: Connect a GNSS simulator to the RWS navigation input. Inject position and heading data via the specified protocol. Confirm the FCS ingest of position/heading and incorporation into the ballistic solution within the required latency. Pass criterion: ballistic solution updates within 100ms of position fix. Rationale: GNSS data ingestion timing directly affects ballistic solution accuracy; the end-to-end latency from navigation input to fire solution update cannot be derived by analysis of component specs alone and requires integration test. | Test | verification, interface, gnss, session-631, idempotency:ver-ifc004-gnss-631, idempotency:ver-ifc004-gnss-631 |
| VER-REQ-079 | Verify IFC-REQ-005: Load a STANAG 4090 compatible ammunition link into the AHA and cycle the weapon feed mechanism. Confirm link engagement, feeding, and disengagement without misfeeds. Pass criterion: zero link jams over 50 feed cycles at the maximum cyclic rate. Rationale: STANAG 4090 (Ammunition Link Design Requirements) ammunition interface compliance requires live feed testing; link engagement geometry cannot be verified by dimensional inspection alone because dynamic forces during feeding affect compatibility. | Test | verification, interface, ammunition, session-631, idempotency:ver-ifc005-ammo-link-631, idempotency:ver-ifc005-ammo-link-631 |
| VER-REQ-080 | Verify IFC-REQ-006: Connect RWS to a MIL-STD-6016 (Tactical Digital Information Link) data link receiver. Stream compressed sensor video and target data for 10 minutes at operational update rate. Pass criterion: video decoded without frame loss; target track data received at specified update rate; measured throughput meets the specification. Rationale: MIL-STD-6016 (Tactical Digital Information Link - TADIL J) interoperability must be confirmed against an external receiver; link budget and encoding are not verifiable by analysis of the transmitter specification alone. | Test | verification, interface, datalink, session-631, idempotency:ver-ifc006-tdl-631, idempotency:ver-ifc006-tdl-631 |
| VER-REQ-081 | Verify IFC-REQ-007: Connect a calibrated video analyser to the EOSA-FCS interface. Capture uncompressed video frames from both channels. Measure pixel resolution, frame rate, and end-to-end sensor-to-FCS latency. Pass criterion: day camera delivers minimum 1920x1080 at 30fps; thermal imager delivers minimum 640x480 at 25fps; both within specified latency budget. Rationale: Video throughput and latency across the EOSA-FCS interface determines tracking loop bandwidth; compliance cannot be verified by datasheet analysis because it depends on the physical link implementation. | Test | verification, interface, video, eosa, fcs, session-631, idempotency:ver-ifc007-eosa-fcs-video-631, idempotency:ver-ifc007-eosa-fcs-video-631 |
| VER-REQ-082 | Verify IFC-REQ-008: Configure FCS to issue servo demand signals at 100Hz to the TDA. Inject a step demand and measure TDA response time, tracking accuracy, and signal latency via oscilloscope at the interface. Pass criterion: servo demand delivered at 100Hz ±1Hz; TDA closed-loop settling to within 0.1 mrad of demand within the specified time. Rationale: The FCS-TDA servo loop timing is a performance-critical interface; 100Hz demand rate and the resulting pointing accuracy cannot be confirmed without measuring the actual interface signals under closed-loop conditions. | Test | verification, interface, servo, tda, fcs, session-631, idempotency:ver-ifc008-fcs-tda-servo-631, idempotency:ver-ifc008-fcs-tda-servo-631 |
| VER-REQ-083 | Verify IFC-REQ-012: Actuate E-stop while system is in Operational mode. Measure time from E-stop actuation to de-energisation of the firing relay and DRIVE-INHIBIT assertion. Confirm dual hardwire routing via continuity trace. Pass criterion: both channels reach safe state within 50ms; dual wiring topology confirmed by inspection. Rationale: The E-stop to DCSC interface is a SIL 3 safety function per IEC 61508 (Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems); response time and dual-channel routing must be verified by live fault injection and wiring inspection, not analysis. | Test | verification, interface, safety, sil-3, e-stop, session-631, idempotency:ver-ifc012-estop-dcsc-631, idempotency:ver-ifc012-estop-dcsc-631 |
| VER-REQ-084 | Verify IFC-REQ-014: Inject a simulated SIS fault condition. Measure the signal timing on the DCSC-to-SSOD separate drive command lines for both channels. Confirm independence of channel A and channel B command paths. Pass criterion: both channels command safe state within 10ms of fault assertion; channel cross-dependency eliminated by signal monitoring. Rationale: Dual-channel independence on the DCSC-to-SSOD interface is a SIL 3 architectural requirement; independence must be confirmed under fault injection because it cannot be verified by inspection of the schematic alone. | Test | verification, interface, safety, sil-3, session-631, idempotency:ver-ifc014-dcsc-ssod-631, idempotency:ver-ifc014-dcsc-ssod-631 |
| VER-REQ-085 | Verify IFC-REQ-026: Stream video and metadata from VCNIM to TDL Processor at the specified data rate. Measure throughput, packet loss, and latency. Pass criterion: data throughput meets specification with less than 0.1% packet loss over a 5-minute sustained transmission. Rationale: The VCNIM-TDL Processor interface carries high-bandwidth compressed video; actual throughput depends on network implementation and cannot be inferred from link specification alone. | Test | verification, interface, video, datalink, session-631, idempotency:ver-ifc026-vcnim-tdl-631, idempotency:ver-ifc026-vcnim-tdl-631 |
| VER-REQ-086 | Verify IFC-REQ-029: Apply nominal and fault power conditions to RWS. Confirm PMCU telemetry messages are received by the FCC within the required update period. Inject an over-current condition and confirm FCC fault response. Pass criterion: telemetry received at minimum 1Hz; fault condition reported within two telemetry frames. Rationale: PMCU-to-FCC telemetry latency determines how quickly the FCS can respond to power fault conditions; compliance requires live power fault injection to verify end-to-end detection and response timing. | Test | verification, interface, power, fcs, session-631, idempotency:ver-ifc029-pmcu-fcc-631, idempotency:ver-ifc029-pmcu-fcc-631 |
| VER-REQ-087 | Verify SUB-REQ-026: Mount RWS on a vehicle motion simulator generating cross-country profile at 30km/h. Command a fixed azimuth-elevation aimpoint. Record weapon pointing error via optical encoder feedback over a 60-second run. Pass criterion: pointing error RMS does not exceed 0.1 mrad; peak error does not exceed 0.3 mrad. Rationale: Weapon pointing accuracy under vehicle motion is the primary driver of first-round hit probability (SYS-REQ-001); the 0.1 mrad RMS threshold requires stabilisation loop validation under dynamic excitation, which analysis of the servo specification cannot substitute. | Test | verification, tda, performance, session-631, idempotency:ver-sub026-tda-pointing-631, idempotency:ver-sub026-tda-pointing-631 |
| VER-REQ-088 | Verify SUB-REQ-025: With barrel retention sensor set to UNLOCKED state via test fixture, command fire. Confirm firing circuit remains de-energised. Restore LOCKED state and confirm firing circuit enables. Pass criterion: no firing pulse when UNLOCKED; firing circuit active when LOCKED and all other conditions met. Rationale: The barrel retention interlock is a safety function; IEC 61508 SIL-2 requires functional verification by deliberate fault injection to confirm the interlock prevents firing with an unlocked barrel. | Test | verification, aha, safety, sil-2, session-631, idempotency:ver-sub025-aha-barrel-safety-631, idempotency:ver-sub025-aha-barrel-safety-631 |
| VER-REQ-089 | Verify SUB-REQ-029: Place calibrated point source target at 1000m range. Switch TI to narrow field. Record IFOV using the collimator bar method. Pass criterion: IFOV of 0.3 mrad or better confirmed; minimum detectable temperature contrast measured as 0.05K or better. Rationale: TI camera IFOV determines target detection range performance; actual IFOV is a function of the detector array and optics that must be measured on the delivered unit, not inferred from the optical design specification. | Test | verification, eosa, ti, performance, session-631, idempotency:ver-sub029-ti-ifov-631, idempotency:ver-sub029-ti-ifov-631 |
| VER-REQ-090 | Verify SUB-REQ-030: Range calibrated retroreflectors at 200m, 1000m, 2000m, and 4000m from the system. Fire laser rangefinder at each target and record measured range. Pass criterion: range error does not exceed ±5m (1-sigma) at any range point; range update confirmed at minimum 1Hz. Rationale: LRF range accuracy is critical to ballistic solution quality (SUB-REQ-015); the ±5m specification must be measured against calibrated range targets because laser pulse timing drift cannot be assessed from component datasheets alone. | Test | verification, eosa, lrf, performance, session-631, idempotency:ver-sub030-lrf-range-631, idempotency:ver-sub030-lrf-range-631 |
| VER-REQ-091 | Verify SUB-REQ-032: Stream live sensor video through FCS to ODU. Insert frame timestamp at sensor output. Measure displayed frame timestamp at ODU output via high-speed camera. Pass criterion: end-to-end display latency does not exceed the specified maximum for both channels. Rationale: Operator display latency directly affects target tracking reaction time; the latency limit is derived from human factors analysis and must be validated under live video streaming conditions. | Test | verification, ocu, display, session-631, idempotency:ver-sub032-odu-latency-631, idempotency:ver-sub032-odu-latency-631 |
| VER-REQ-092 | Verify SUB-REQ-038: Apply input voltages at 18VDC (minimum), 28VDC (nominal), and 32VDC (maximum) to the PDU. Record output rail voltages, ripple, and current draw at each setpoint. Pass criterion: all regulated outputs remain within ±2% of nominal; ripple within spec; no BIT fault at any voltage. Rationale: PDU input range compliance ensures the system operates correctly across vehicle electrical bus excursions per MIL-STD-1275E (Characteristics of 28 Volt DC Electrical Systems in Military Vehicles); end-to-end output compliance must be measured on the integrated unit. | Test | verification, pdu, power, session-631, idempotency:ver-sub038-pdu-voltage-631, idempotency:ver-sub038-pdu-voltage-631 |
| VER-REQ-093 | Verify SUB-REQ-040: Measure all three regulated output rails (12V, 5V, 3.3V) under no-load, 50% load, and full load conditions. Record voltage, ripple, and transient response to 10% step load. Pass criterion: regulation within ±2% of nominal and ripple within spec at all load points. Rationale: DC-DC converter output accuracy affects digital logic and analogue sensor circuits; ±2% tolerance must be verified under load variations because converter regulation worsens at extremes that datasheets may not fully characterise for the integrated thermal environment. | Test | verification, pdu, power, session-631, idempotency:ver-sub040-dcdc-rails-631, idempotency:ver-sub040-dcdc-rails-631 |
| VER-REQ-094 | Verify SUB-REQ-045: Image a 1951 USAF resolution target at a standardised distance. Measure resolved spatial frequency per MIL-STD-150A (Photography). Pass criterion: camera resolves groups at or better than 0.3 mrad/pixel angular subtense; minimum frame rate of 30fps confirmed under full dynamic range conditions. Rationale: Day camera resolution is the foundational sensor performance parameter for target identification and tracking; actual resolution depends on detector pixel pitch, optics quality, and focus, which must be measured on the delivered unit. | Test | verification, eosa, day-camera, performance, session-631, idempotency:ver-sub045-day-camera-res-631, idempotency:ver-sub045-day-camera-res-631 |
| VER-REQ-095 | Verify SUB-REQ-069: Using HIL test bench with FCS computer and TTP simulator, command target tracking sequence and verify TTP output packet rate is not less than 50 Hz and angular resolution is not coarser than 0.05 mrad over 60 seconds of continuous tracking. Pass criterion: 0 missed packets in 60 s, resolution confirmed by oscilloscope capture of raw PCIe bus. Rationale: Integration test verifying TTP output specification at the FCS internal interface. Test bench allows repeatable stimulus without live optics. | Test | verification, fire-control-system, session-632, idempotency:ver-sub-069-632 |
| VER-REQ-096 | Verify SUB-REQ-070: Using ballistic test bench with known meteorological inputs and a reference trajectory database, run 100 fire solution computations at 1500m range with 0, 10, and 20 km/h simulated crosswind. Compare BCM output (lead angle, elevation correction, fuze delay) against reference database. Pass criterion: output latency less than 20ms per solution, first-round hit prediction error within P1H 0.7 accuracy against 2m x 2m target model. Rationale: Ballistic accuracy is safety-significant — incorrect fire solutions cause engagement failures and potential collateral effects. Test bench validation with reference trajectories allows pre-qualification before live firing. | Test | verification, fire-control-system, session-632, idempotency:ver-sub-070-632 |
| VER-REQ-097 | Verify SUB-REQ-071: Using CIU test bench with network packet injection tool, transmit 200 MIL-STD-6016 messages with correct authentication and 50 messages with corrupted authentication tokens. Verify: all 200 valid messages processed, all 50 invalid messages rejected and logged, no rejected message propagates to fire control data bus. Pass criterion: 0 false accepts, 0 missed rejects, 100% logging of rejection events. Rationale: Authentication failure allows injection of false target data or fire commands — this is a safety-significant cybersecurity requirement. Test bench injection simulates adversarial network attack without live network exposure. | Test | verification, communications-interface-unit, cybersecurity, session-632, idempotency:ver-sub-071-632 |
| VER-REQ-098 | Verify SUB-REQ-073: Inject a synthetic processing fault signal into the Fire Control Computer test interface while weapon is in fire-ready state. Confirm: (a) weapon firing inhibited within 100ms, (b) fault code annunciated on OCU display, (c) no weapon discharge occurs. Pass if all three conditions met in 5 repeated trials. Rationale: Functional safety test for FCC fault response. Must demonstrate deterministic safe-state transition within the 100ms timing budget under fault injection conditions representative of worst-case processing failure. | Test | verification, fire-control-system, sil-2, session-633, idempotency:ver-sub-073-v2-633 |
| VER-REQ-099 | Verify SUB-REQ-074: With weapon in fire-ready state, apply fire command alone (no safety controller agree) and confirm firing relay does not energise. Apply safety controller agree alone and confirm firing relay does not energise. Apply both simultaneously and confirm firing relay energises within timing spec. Remove one input and confirm relay de-energises within 5ms. Pass if all cases behave as specified. Rationale: Combinatorial test of dual-confirmation logic must verify all four input combinations to demonstrate that the AND gate is correctly implemented in hardware, not only the positive case. | Test | verification, fire-control-system, sil-2, session-633, idempotency:ver-sub-074-633 |
| VER-REQ-100 | Verify SUB-REQ-079: From a cold system state, attempt to achieve fire-ready state without performing target identification on the OCU. Confirm system blocks fire-ready transition. Perform positive ID procedure with operator confirmation. Confirm fire-ready state is now achievable. Review post-engagement audit log and verify timestamp and operator ID are recorded. Pass if blocking and logging both verified. Rationale: ROE requirement must be verified both functionally (blocking behaviour) and as an audit trail (logging completeness). Inspection of the audit log is the only verifiable evidence of the ethical compliance obligation. | Inspection | verification, fire-control-system, ethical, roe, session-633, idempotency:ver-sub-079-633 |
| VER-REQ-101 | Verify SUB-REQ-081: Following a barrel replacement, command boresight verification from OCU. Measure time from command to result display. Introduce a calibrated 0.25 mrad bore offset and confirm pass result. Introduce 0.35 mrad offset and confirm fail result. Pass if: (a) result displayed within 60s, (b) 0.25 mrad gives pass, (c) 0.35 mrad gives fail. Rationale: Boresight verification must be tested at both sides of the 0.3 mrad threshold to confirm the measurement system resolution is adequate and the pass/fail criterion is correctly implemented, not merely that a result is displayed. | Test | verification, fire-control-system, session-633, idempotency:ver-sub-081-633 |
| VER-REQ-103 | Verify SUB-REQ-083: Power-cycle FCC three times using hardware watchdog timeout injection. Measure time from watchdog assertion to restoration of operational mode via BIT completion. Pass if all three restarts complete within 10 seconds with weapon remaining in SAFE state confirmed by Safety Interlock System state log. Rationale: Directly verifies the 10s recovery time bound and SAFE state maintenance defined in SUB-REQ-083 under hardware-injected fault conditions. | Test | verification, fire-control-system, sil-2, fcc-fdir, session-634, idempotency:ver-sub083-restart-634 |
| VER-REQ-104 | Verify SUB-REQ-084: Present a representative operator to the OCU interface without prior training for this specific layout. Task: from rest state, reach and activate ARM, FIRE, MODE SELECT, and TRACK ENABLE functions. Count control actuations per function. Pass if all four functions reachable within two actuations. Rationale: Usability demonstration with naive operator provides a valid test of the two-actuation bound without familiarity bias, directly verifying the human factors requirement. | Demonstration | verification, operator-control-unit, hmi, session-634, idempotency:ver-sub084-hmi-634 |
| VER-REQ-105 | Verify SYS-REQ-018: Set up two NATO standard vehicle targets (2.3m x 2.3m) at 1500m (day) and 800m (night/obscured) under prescribed illumination conditions. Operator identifies all 10 targets across two sensor modalities. Pass criterion: >= 9/10 correct identifications at each range using both EO and TI channels independently. Rationale: SYS-REQ-018 is a performance acceptance criterion that directly drives field trials. Range verification must use a representative tactical scenario with human operator to confirm the full system (optics + stabilisation + display chain) meets the PID requirement, not just the sensor module in isolation. | Test | session-635, qc, sensors, idempotency:qc-635-ver-sys-req-018-pid |
| VER-REQ-106 | Verify SYS-REQ-010: With RWS on system integration test bench, weapon loaded and turret in motion at 30 deg/s azimuth, activate E-STOP at OCU. Measure time from E-STOP button press to (a) firing solenoid circuit open and (b) both axis brake solenoids energised, using instrumented current probes at 1kHz sampling. Perform 20 trials at +25°C and 5 trials at -46°C cold soak. Pass criterion: turret drives de-energised and brakes engaged within 200ms on all 25 trials; firing circuit open within 50ms on all 25 trials. Rationale: SYS-REQ-010 is the system-level 200ms E-STOP timing requirement addressing H-002 (uncommanded turret motion crushing personnel, SIL-2) and H-003 (failure to safe state, SIL-3). Sub-component tests VER-REQ-009 and VER-REQ-084 verify individual SSOD and SIS signal paths but do not demonstrate end-to-end system timing from operator input to full mechanical brake engagement. A system-level test with instrumented current probes is required to close the safety argument for H-002 and H-003 at the SYS requirement level. | Test | session-636, validation, safety-interlock-system, sil-2, sil-3, idempotency:ver-sys-010-estop-system-test-636 |
| VER-REQ-107 | Verify SYS-REQ-009: On system integration bench with RWS in Engagement mode (weapon armed, turret active), interrupt the operator control link (OCU CAN bus cable disconnected) and measure time to (a) SAFE state assertion on the SIS bus and (b) firing solenoid circuit open, using instrumented CAN bus monitor and current probe at 1kHz. Perform 10 trials at ambient and 3 trials after 4-hour cold soak at -46°C. Also test link degradation scenario: inject 300ms sporadic dropout followed by total loss. Pass criterion: SAFE state asserted and firing circuit open within 500ms of last valid heartbeat on all 13 trials; no inadvertent safe-state trigger during the sporadic dropout phase. Rationale: SYS-REQ-009 directly addresses H-006 (loss of operator control while weapon armed, SIL-2): the 500ms safe-state timing must be verified at system level because the chain spans three subsystems (OCU/gateway heartbeat watchdog, SIS DCSC, SSOD relay). VER-REQ-003 verifies SUB-REQ-005 watchdog timing only; no existing VER test demonstrates the full end-to-end 500ms chain including relay actuation at system level. The sporadic dropout case tests the hazard where EMI or connector vibration causes intermittent link loss — the system must not false-trigger while still responding to genuine link loss. | Test | session-636, validation, safety-interlock-system, sil-2, idempotency:ver-sys-009-linkloss-system-test-636 |
| VER-REQ-108 | Verify SYS-REQ-017: Submit complete RWS assembly to MIL-STD-461G (Requirements for the Control of Electromagnetic Interference Characteristics of Subsystems and Equipment) conducted emissions and susceptibility test suite. Test cases shall include: RE102 radiated emissions scan from 10kHz to 18GHz; RS103 radiated susceptibility from 10kHz to 40GHz at field strengths per MIL-STD-461G Table RS103-I; CE102 conducted emissions on all power input cables; CS114/CS115 conducted susceptibility on power and signal lines. During RS103 exposure, the RWS shall be in Engagement mode with weapon armed. Pass criterion: RE102 emissions below applicable limits at all frequencies; RS103 susceptibility test results in no weapon state change, no loss of operator display, and no spurious safe-state assertions; CE102 within limits. Following EMC test, execute full BIT and confirm no latent faults. Rationale: SYS-REQ-017 is safety-relevant: H-001 and H-007 both cite EMI as a cause of uncommanded weapon discharge (SIL-3 hazard) and software state machine corruption. Performing RS103 susceptibility with weapon armed directly tests whether EMI can cause inadvertent firing — this is the key scenario not covered by any existing VER requirement. No VER entry for SYS-REQ-017 existed prior to this session. MIL-STD-461G (not just 461F) is the current applicable standard for ground military vehicles per DEF-STAN 59-411. | Test | session-636, validation, sil-3, emc, idempotency:ver-sys-017-emc-test-636 |
| VER-REQ-109 | Verify SYS-REQ-002: From a running vehicle in Surveillance mode, an operator acquires a stationary 2m x 2m target presented at 200m via thermal channel. Measure elapsed time from operator designation of target to first round fired (all operator actions timed). Perform 20 trials with two qualified crews in representative terrain/lighting. Pass criterion: detection-to-fire sequence completes within 8 seconds on ≥90% of trials (18/20); no trial exceeds 12 seconds. Record all sub-intervals: time-to-designation, ARM sequence duration, auto-tracker acquisition time, fire control solution latency. Rationale: SYS-REQ-002 (≤8s detection-to-fire) is a top-level system performance requirement derived from STK-REQ-001 (effective threat response in urban patrol). The 8s budget is decomposed across auto-tracker acquisition (SUB-REQ-066, ≤3s), FCC solution latency (SUB-REQ-063, ≤200ms), and ARM sequence (SUB-REQ-002), but no system-level test validates the complete human-in-the-loop sequence time including OCU menu interactions. This test closes the scenario validation gap in the Urban Patrol Engagement ConOps scenario. | Test | session-636, validation, fire-control-system, idempotency:ver-sys-002-sequence-timing-636 |
| VER-REQ-110 | Verify SYS-REQ-012: Apply power to RWS after 4-hour cold soak at -46°C. Measure time from power application to either (a) Surveillance mode ready state (all BIT checks pass) or (b) fault-displayed state (BIT detects safety-critical failure). Monitor SIS, FCS, servo drives, and sensor status via test instrumentation. Perform 5 trials at -46°C and 5 trials at +71°C. Pass criterion: BIT completes and mode transition occurs within 90 seconds on all trials; injected fault in servo drive (open-circuit fault) is detected and displayed within BIT on all 5 fault-injection trials; BIT does not pass with injected fault present. Rationale: SYS-REQ-012 is the gate between Initialization/BIT mode and Surveillance — a critical safety mode transition requirement. Failure to detect safety-critical faults during BIT allows the system to enter operational mode with unsafe hardware, directly enabling H-001, H-002, and H-003. The 90-second timing at -46°C is the worst-case temperature; no existing VER requirement verifies the BIT as a complete system sequence including fault detection sensitivity. The fault injection case is essential to validate that BIT has sufficient coverage to detect the failure modes it claims to catch. | Test | session-636, validation, safety-interlock-system, sil-3, idempotency:ver-sys-012-bit-timing-636 |
| VER-REQ-111 | Verify SYS-REQ-008: On fully integrated RWS with FCS in Engagement mode and weapon ARMED, force the FCS main processor into a software exception state (inject memory corruption pattern at known address in test firmware). Confirm: (a) the Hardware Firing Interlock Relay remains de-energised (no firing solenoid current), (b) the Dual-Channel Safety Controller independently commands SAFE state within 100ms of FCS watchdog timeout, (c) no weapon discharge occurs. Repeat with SIS test harness applying all defined safety conditions in sequence (E-STOP, maintenance mode key, interlock trip, link loss). Pass criterion: firing solenoid circuit reads <1mA (open) under all FCS fault states; each safety condition individually prevents firing independently of FCS state within 100ms. Rationale: SYS-REQ-008 states the hardware firing interlock must be independent of fire control software — directly addressing H-001 (uncommanded discharge via electrical fault or software error, SIL-3) and H-007 (software fault causing fire via state machine corruption, SIL-3). The independence property cannot be verified by sub-component tests alone; it requires demonstrating that with FCS software in a known fault state, the hardware interlock still enforces safe-state. This is the key IEC 61508 (Functional safety of E/E/PE safety-related systems) architectural independence argument for SIL-3 at the system level. | Test | session-636, validation, safety-interlock-system, sil-3, idempotency:ver-sys-008-hw-interlock-independence-636 |
| VER-REQ-112 | Verify SUB-REQ-077: Configure PDU test harness with three safety-critical branch loads (firing interlock relay simulator, safety controller supply, servo drive supply). Inject a sustained overcurrent fault (2x fuse rating for 200ms) on each branch in turn. Confirm: (a) the faulted branch disconnects and the load de-energises, (b) both remaining safety-critical branches remain energised and delivering rated voltage (28VDC ±2V) throughout the fault and recovery, (c) post-fault BIT detects the blown fuse and flags the fault within 5s. Repeat for all three branches. Pass criterion: zero voltage excursion >5% on non-faulted safety-critical branches; BIT detects all three fuse-blow events. Rationale: SUB-REQ-077 is SIL-3 rated because PDU branch failure that interrupts safety interlock or safety controller power directly enables H-001 (uncommanded discharge) and H-003 (failure to safe). The independence property must be verified at system level with real overcurrent injection — PCB-level inspection cannot confirm isolation under fault conditions. The test proves the branching architecture protects all safety-critical loads simultaneously. | Test | session-638, validation, power-distribution-unit, sil-3, idempotency:ver-sub077-pdu-branch-isolation-638 |
| VER-REQ-113 | Verify SUB-REQ-027: Connect SIS test harness to TDA servo controller. Establish normal azimuth slew at 30°/s. Command DRIVE-INHIBIT from SIS. Measure elapsed time from DRIVE-INHIBIT signal assertion to servo drive de-energisation and mechanical brake engagement on both axes. Log azimuth/elevation encoder data at 1kHz during the transition. Test at ambient temperature (+20°C) and cold soak (-40°C). Attempt to issue RESUME command while DRIVE-INHIBIT remains asserted; verify no motion occurs. Issue DRIVE-INHIBIT de-assert followed by FCC RESUME command and verify normal operation restores. Pass criterion: both axes cease motion and brakes engage within 200ms on all 10 trials at both temperatures; zero motion detected on RESUME-only command while DRIVE-INHIBIT is asserted. Rationale: SUB-REQ-027 addresses H-002 (uncommanded turret motion, SIL-2): when the SIS determines a hazardous condition, the TDA must stop within 200ms to prevent personnel injury. The 200ms budget is safety-derived — turret inertia at 30°/s takes approximately 120ms to dissipate; the 200ms ceiling includes signal propagation and brake engagement. Testing at -40°C is required because lubricant viscosity affects brake engagement speed. The RESUME guard test verifies the SIS cannot be bypassed by the FCC. | Test | session-638, validation, turret-drive-assembly, sil-2, idempotency:ver-sub027-tda-drive-inhibit-638 |
| VER-REQ-114 | Verify SUB-REQ-075: With FCS in Engagement mode and active auto-track on a designated target, inject a simulated target track dropout at TTP (suppress track update output). Measure: (a) time from dropout to FCS firing circuit inhibit, (b) time from dropout to operator warning display, (c) whether FCS requires explicit operator re-designation before accepting a new firing solution. Run 10 trials with dropout at 501ms (boundary), 1000ms, and 5000ms. Pass criterion: firing circuit inhibited within 600ms of 500ms continuous dropout; operator warning displayed within 1s of dropout; FCS refuses to compute firing solution until operator explicitly re-designates target on all 10 trials. No self-recovery without operator action accepted. Rationale: SUB-REQ-075 is SIL-2 because stale track data driving an active fire solution without operator awareness directly enables H-004 (friendly fire via sensor degradation). The 500ms threshold is chosen because track loss shorter than this is within normal target obscuration tolerance; beyond 500ms the track is operationally invalid and must not drive autonomous firing. The operator re-designation guard prevents the system from resuming engagement on a track whose validity was lost without operator confirmation. | Test | session-638, validation, fire-control-system, sil-2, idempotency:ver-sub075-fcs-trackloss-638 |
| VER-REQ-115 | Verify SUB-REQ-047: With weapon system mounted to vehicle, weapon cleared and condition confirmed SAFE by SIS BIT. Provide two qualified armourers with standard military tool sets (no specialist equipment). Initiate barrel change procedure: disassemble feed, remove barrel, fit new calibrated barrel, re-assemble feed, re-zero barrel alignment, confirm secure. Time from initiation to maintenance-complete with BIT pass confirmation. Perform 3 trials per armourer pair (6 total). Also perform 3 round-jam clearance trials. Pass criterion: barrel change completes within 15 minutes on all 6 trials (not 30 as per STK; SUB-REQ-047 allocates 30 total; barrel change alone must be ≤15 minutes to leave margin for round jam clearance); round jam clearance completes within 10 minutes on all 3 trials; BIT passes and confirms weapon safe after each trial. Rationale: SUB-REQ-047 is SIL-2 because a weapon that cannot be brought to a safe confirmed state during maintenance (jam clearance timed out, barrel not seated correctly) creates a hazardous condition for the maintenance crew. Demonstration is appropriate because MTTR is a human factors metric that depends on tool set design and procedure quality; it must be demonstrated with qualified personnel under realistic field conditions, not simulated analytically. | Demonstration | session-638, validation, weapon-and-ammunition-handling, sil-2, maintainability, idempotency:ver-sub047-waha-mttr-638 |
| VER-REQ-116 | Verify SUB-REQ-076: On FCS test bench, attempt to load firing table data via the BCM update interface using: (a) a valid authenticated packet with correct cryptographic signature, (b) a packet with corrupted signature (1-bit flip), (c) a replay of a previously accepted valid packet with incremented sequence counter, (d) an unauthenticated plaintext data payload. Log BCM acceptance or rejection for each case. Then load a valid authenticated firing table with a known ballistic solution offset; confirm the BCM fires solution reflects the loaded table. Pass criterion: (a) accepted and applied; (b), (c), (d) all rejected with fault logged; BCM ballistic solution reflects authenticated table contents within 2 computation cycles. Rationale: SUB-REQ-076 is SIL-2 because a corrupted or adversarially injected firing table could produce systematic ballistic errors enabling H-004 (friendly fire from target misidentification or erroneous fire solution). Authentication of firing table updates is a safety-critical data integrity control. The replay attack case (c) tests sequence-counter enforcement which prevents an adversary replaying a previously-valid but now-stale table. | Test | session-638, validation, fire-control-system, ballistic-computation-module, sil-2, cybersecurity, idempotency:ver-sub076-bcm-auth-638 |
| VER-REQ-117 | Verify SUB-REQ-082: With RWS in Degraded Operation mode and thermal imager deliberately disabled (fault injected via test interface), designate a stationary 2m x 2m target at 800m using day-channel only. Attempt target engagement using day channel tracking and LRF ranging. Measure: (a) minimum range at which target can be positively identified and tracked in day channel, (b) time from sensor failure detection to DEGRADED mode alert on OCU display (must be ≤3s per requirement), (c) engagement capability with remaining sensor. Perform 5 trials in typical overcast lighting. Pass criterion: positive target identification and stable track achievable at ≥800m in day channel; DEGRADED alert on OCU within 3s of sensor failure on all 5 trials; fire control solution computed and weapon capable of engaging within DEGRADED mode constraints. Rationale: SUB-REQ-082 is a system-level degraded mode capability requirement derived from the Degraded Sensor Operation ConOps scenario (thermal crossover renders TI ineffective, crew must maintain mission capability on day camera). Demonstration is appropriate because the 800m engagement range under degraded conditions depends on the integrated sensor/FCS/human performance chain. No subsystem test verifies this end-to-end capability — it requires the full system with a qualified crew. | Demonstration | session-638, validation, electro-optical-sensor-assembly, fire-control-system, degraded-mode, idempotency:ver-sub082-degraded-mode-638 |
| VER-REQ-118 | Verify SUB-REQ-078: With RWS powered and thermal imaging channel active, inject a simulated primary optical channel failure via test interface. Measure: (a) time from fault injection to thermal imaging data appearing on FCC video input (must be ≤2s), (b) operator alert displayed on OCU within 2s of failure. Repeat for 5 trials at ambient and boundary temperatures. Pass criterion: transition latency ≤2s and operator alert confirmed on all trials. Rationale: SUB-REQ-078 requires the EOSA to continue providing thermal imaging data with no more than 2s transition latency when the optical channel fails. Identified as unverified during validation session 638. Demonstration required because failover involves sensor hardware, FCC processing, and operator display chain. | Demonstration | reqs-eng-session-641, electro-optical-sensor-assembly, verification |
| VER-REQ-119 | The Electro-Optical Sensor Assembly SHALL be verified to operate correctly when supplied with 20V, 28V, and 32VDC input. Measure power consumption, sensor image quality, and stabilisation performance at each voltage. Pass criterion: all sensor functions nominal across the full 20-32V range. Rationale: SUB-REQ-012 specifies EOSA 28VDC power input with 20-32V operating range. Boundary testing at min/max voltage ensures sensors maintain performance under vehicle power bus variation. | Test | verification |
| VER-REQ-120 | While the Thermal Imaging Camera is in FAILED state, the Electro-Optical Sensor Assembly SHALL be verified to continue providing day-channel video to the Fire Control Computer. Inject a TI channel failure and confirm day video stream continuity within 2s. Repeat for 5 trials. Pass criterion: day channel uninterrupted on all trials. Rationale: SUB-REQ-031 requires EOSA to provide day-channel continuity when TI fails. This is the inverse of SUB-REQ-078 (optical failure → TI continuity). Both failover paths must be demonstrated to confirm SYS-REQ-011 degraded operation. | Demonstration | review-session-642, electro-optical-sensor-assembly, verification |
| VER-REQ-121 | The Gunner Hand Controller SHALL be verified to transmit azimuth and elevation slew commands at the specified rate. Connect GHC to OCU CPU via production cable and measure command output rate and latency using a protocol analyser. Pass criterion: slew command rate and latency within SUB-REQ-033 specification. Rationale: SUB-REQ-033 specifies GHC command output rate for operator control responsiveness. Untested GHC output could introduce control latency affecting engagement timelines (SYS-REQ-002). | Test | review-session-642, operator-control-unit, verification |
| VER-REQ-122 | The Video Compression and Network Interface Module SHALL be verified to compress and transmit daylight and thermal video at the specified resolution and frame rate. Stream live sensor video through VCNIM to a network analyser. Measure output bitrate, resolution, latency, and frame rate. Pass criterion: meets SUB-REQ-035 specification. Rationale: SUB-REQ-035 specifies VCNIM compression performance for video distribution to BMS and tactical data link. Insufficient compression or excess latency would degrade remote situational awareness (SYS-REQ-013). | Test | review-session-642, communications-interface-unit, verification |
| VER-REQ-123 | The CAN Bus and Serial Protocol Gateway SHALL be verified to receive and republish CAN bus and serial data correctly. Inject CAN 2.0B and RS-422 test frames at rated bus speed and confirm correct republishing on all output ports. Pass criterion: zero frame loss over 10000 frames at rated speed. Rationale: SUB-REQ-036 specifies the gateway's CAN/serial bridging function. Incorrect republishing would corrupt sensor data or control commands between subsystems (SYS-REQ-013, IFC-REQ-027). | Test | review-session-642, communications-interface-unit, verification |
| VER-REQ-124 | The EMC Filter and Surge Protection Assembly SHALL be verified to suppress conducted emissions to the levels specified in MIL-STD-461G CE102. Apply conducted emissions test per MIL-STD-461G Method CE102 with PDU powered at rated load. Pass criterion: emissions below MIL-STD-461G CE102 limits across 10kHz–10MHz. Rationale: SUB-REQ-037 specifies EMC filter performance to meet SYS-REQ-017 MIL-STD-461G compliance. Without verification, conducted emissions could interfere with vehicle electronics or fail platform EMC certification. | Test | review-session-642, power-distribution-unit, verification |
| VER-REQ-125 | The Power Monitor and Control Unit SHALL be verified to sample voltage and current on each subsystem power rail at the specified rate and accuracy. Apply calibrated voltage and current sources to PMCU inputs and compare PMCU readings against reference instrumentation. Pass criterion: measurement accuracy within SUB-REQ-041 specification. Rationale: SUB-REQ-041 specifies PMCU monitoring accuracy for health monitoring and fault detection. Inaccurate power monitoring could mask overload conditions or trigger false fault alarms (IFC-REQ-029). | Test | review-session-642, power-distribution-unit, verification |
| VER-REQ-126 | The Tactical Data Link Processor SHALL be verified to operate correctly from the vehicle 28V DC bus across the 18V–32V operating range. Apply 18V, 28V, and 32VDC to TDLP power input and verify MIL-STD-6016 message processing at each voltage. Pass criterion: all link functions nominal at boundary voltages. Rationale: SUB-REQ-072 specifies TDLP power input range from the vehicle DC bus. Power boundary verification ensures tactical data link availability under vehicle electrical transients — critical for remote engagement authorisation. | Test | review-session-642, communications-interface-unit, verification |
| VER-REQ-127 | The Tactical Data Link Processor SHALL be verified to comply with MIL-STD-6016E message format and timing. Connect TDLP to a certified MIL-STD-6016E test facility and execute the standard interoperability test suite. Pass criterion: full compliance with MIL-STD-6016E J-series message catalogue and network timing. Rationale: SUB-REQ-080 specifies MIL-STD-6016E compliance for tactical data exchange. Interoperability testing is essential — non-compliant message formatting would prevent integration with allied C2 systems. | Demonstration | review-session-642, communications-interface-unit, verification |
flowchart TB n0["component<br>Dual-Channel Safety Controller"] n1["component<br>Hardware Firing Interlock Relay"] n2["component<br>Arming Key Switch Assembly"] n3["component<br>E-stop and Link Watchdog Module"] n4["component<br>Safe State Output Driver"] n2 -->|arm-key-status 28VDC| n0 n3 -->|E-STOP + watchdog signal| n0 n0 -->|fire-enable dual-channel| n1 n0 -->|brake+inhibit command| n4
Safety Interlock System — Internal
flowchart TB n0["component<br>Fire Control Computer"] n1["component<br>Target Tracking Processor"] n2["component<br>Ballistic Computation Module"] n3["component<br>Weapon Control Interface"] n1 -->|track data 50Hz| n0 n0 -->|range + IMU + target data| n2 n2 -->|ballistic corrections| n0 n0 -->|FIRE/CEASE/SAFE RS-422| n3
Fire Control System — Internal
flowchart TB n0["component<br>Weapon Cradle and Mount"] n1["component<br>Recoil Buffer and Damping System"] n2["component<br>Ammunition Magazine Assembly"] n3["component<br>Belt Feed and Transfer Mechanism"] n4["component<br>Barrel Change Mechanism"] n2 -->|belted ammo feed| n3 n3 -->|round chambering| n0 n0 -->|recoil impulse transfer| n1 n4 -->|barrel attach/detach| n0
Weapon and Ammunition Handling — Internal
flowchart TB n0["component<br>Turret Drive Controller"] n1["component<br>Azimuth Drive Motor and Gearbox"] n2["component<br>Elevation Drive Motor and Gearbox"] n3["component<br>Turret Position Encoder Assembly"] n4["component<br>Azimuth Slip Ring Assembly"] n4 -->|28VDC power + CAN-bus signals| n0 n3 -->|az/el position feedback| n0 n0 -->|azimuth drive command| n1 n0 -->|elevation drive command| n2
Turret Drive Assembly — Internal
flowchart TB n0["component<br>Thermal Imaging Camera"] n1["component<br>Daylight Television Camera"] n2["component<br>Laser Rangefinder"] n3["component<br>Sensor Head Stabilisation Platform"] n0 -->|LWIR video stream| n3 n1 -->|1080p video stream| n3 n2 -->|range data 200m-5km| n3
Electro-Optical Sensor Assembly — Internal
flowchart TB n0["component<br>OCU Control Processing Unit"] n1["component<br>Operator Display Unit"] n2["component<br>Gunner Hand Controller"] n2 -->|joystick + trigger inputs| n0 n0 -->|video + status display| n1
Operator Control Unit — Internal
flowchart TB n0["component<br>Tactical Data Link Processor"] n1["component<br>Video Compression and Network Interface Module"] n2["component<br>CAN Bus and Serial Protocol Gateway"] n3["component<br>EMC Filter and Surge Protection Assembly"] n1 -->|compressed video stream| n0 n2 -->|system status + target data| n0 n3 -->|conditioned CAN-bus signals| n2
Communications Interface Unit — Internal
flowchart TB n0["component<br>Primary Power Input Filter and Surge Arrester"] n1["component<br>DC-DC Converter Array"] n2["component<br>Power Distribution and Protection Module"] n3["component<br>Power Monitor and Control Unit"] n0 -->|filtered 28VDC| n1 n0 -->|28VDC to subsystems| n2 n3 -->|load shed commands| n2
Power Distribution Unit — Internal
| Entity | Hex Code | Description |
|---|---|---|
| Ammunition cookoff from thermal exposure | 00000201 | Hazard in RWS: ammunition in the feed system or magazine detonates due to excessive heat from sustained firing, vehicle fire, IED strike, or solar heating in desert environments. Consequence: catastrophic destruction of turret assembly, potential hull breach, crew casualties. Desert operations can reach ammunition storage temperatures above 70°C ambient. Sustained firing heats the receiver and barrel, conducting heat to adjacent ammunition. |
| Ammunition Feed and Management | 51F73219 | System function of Remote Weapon Station (RWS): manages the mechanical belt feed from magazine to weapon chamber, tracks round count, detects ammunition type via sensor, detects feed jams. Inputs: ammunition belt, type sensor signal, round counter. Outputs: rounds fed to weapon, round count, jam alert, ammunition type to FCS for ballistic table selection. Performance: sustained feed rate for 700 rpm cyclic, 200-400 round magazine capacity, STANAG 4090 compatible link. |
| Ammunition Magazine Assembly | CE851059 | Belt-fed ammunition storage container mounted to RWS turret, capacity 400 rounds in soft-pack or rigid 7.62mm/.50 cal configuration. Includes feed-exit port with anti-snag guide, quick-release retention clips for rapid reload by single maintainer. Capacity sensor provides round-count feedback to Fire Control Computer. Must survive 6g vibration per MIL-STD-810 Method 514.8. |
| Ammunition Supply System | 44853859 | External ammunition supply: belted or linked ammunition fed from a magazine (typically 200-400 rounds for 12.7mm) mounted on the turret or in the hull with a feed chute. Interface includes mechanical feed path, ammunition type sensor (to verify correct calibre loaded), and round counter. Ammunition subject to STANAG 4090 (small arms ammunition) and AOP-39 (ammunition storage). |
| Arming Key Switch Assembly | C6CD5819 | Physical key-operated rotary switch providing the first of two required arming actions for weapon discharge in the Remote Weapon Station Safety Interlock System. Generates hardwired 28VDC signal directly to the Dual-Channel Safety Controller — not software-mediated. Has three positions: SAFE, ARMED, MAINTENANCE-LOCKOUT. Mounted in crew compartment, accessible only to authorised crew. Provides physical proof-of-intent separate from operator control unit software commands. |
| Azimuth Drive Motor and Gearbox | D7D51008 | Brushless DC motor with integrated planetary gearbox driving 360° continuous azimuth rotation of the RWS turret. Provides 0°/s to 60°/s slew rate with 0.1 mrad pointing accuracy. Output torque 500 Nm to overcome turret inertia and wind loading at maximum slew rate. Motor encoder provides 20-bit position feedback to the Turret Drive Controller at 1kHz. |
| Azimuth Slip Ring Assembly | D6851018 | Multi-circuit slip ring with 40 electrical circuits providing continuous 360° power and signal transfer through the azimuth rotation joint. Carries 24VDC power (20A), MIL-STD-1553B data bus, Ethernet 100BASE-TX, and analog sensor signals between the fixed vehicle hull and the rotating turret platform. Rated for 50,000 rotations minimum life. |
| Ballistic Computation Module | 41F73B19 | Software module executing on the Fire Control Computer that calculates the weapon aiming offset to achieve first-round hit. Inputs: LRF slant range (±5m accuracy), target angular velocity from TTP, vehicle inertial velocity and rotation from IMU, ammunition type and lot data, crosswind from sensors. Implements Mach-regime external ballistics model. Outputs azimuth and elevation corrections in mrad to the pointing error loop. Must re-compute within 20ms of updated range measurement. |
| Barrel Change Mechanism | 4CB53819 | Tool-free barrel locking and release system on the weapon cradle enabling single-maintainer hot barrel swap in less than 30 seconds. Includes quick-release barrel latch, heat-resistant barrel handle interface, and barrel retention sensor confirming positive lock before firing is permitted. Barrel retention state output to Safety Interlock System as a fire-permit precondition. |
| Belt Feed and Transfer Mechanism | CE851018 | Dual-path ammunition belt routing assembly channelling rounds from the magazine through the RWS turret structure to the weapon feed port. Includes anti-twist belt guides, spring-tensioned feed pawls maintaining 15-25N belt tension, and a metallic link catcher for disintegrating belt ammunition. Routes a 400-round belt through 300mm radius bends without jamming across the full turret traverse range of 360° azimuth and 40° elevation travel. |
| Boresight/Calibration mode of RWS | 50B53A00 | Sensor alignment and calibration mode of a Remote Weapon Station. Weapon safed, turret under controlled low-speed slew to calibrate EO/TI sensor boresight against weapon bore axis using a calibration target at known range. LRF range calibration against known reference. Gyroscope and IMU drift correction. Performed after maintenance, barrel change, or when BIT detects sensor misalignment exceeding 0.5 mrad. Requires stable vehicle (parked, engine idle). Operator-supervised, automated alignment sequence with manual override. |
| Built-In Test and Health Monitoring | 55F57209 | System function of Remote Weapon Station (RWS): performs power-on self-test and continuous monitoring of all subsystems — servo drive encoders, sensor health, safety interlock continuity, firing circuit integrity, ammunition counter, communication links. Outputs: fault codes, degraded-mode alerts, maintenance action recommendations, BIT pass/fail for each subsystem. Performance: complete power-on BIT in 90s at -46°C, continuous monitoring at 1 Hz. |
| CAN Bus and Serial Protocol Gateway | 50E57008 | Protocol gateway in the RWS CIU bridging the host vehicle CAN bus (ISO 11898, 500kbps) to the internal RWS Ethernet network. Receives vehicle status (engine state, navigation data, power bus voltage) and power management commands via CAN and republishes as UDP datagrams on the internal network. Also provides RS-422 buffering for GPS NMEA-0183 input at 10Hz and distributes position data to FCS and CIU. Performs message filtering, rate limiting, and watchdog monitoring. SIL 0, non-safety-critical function. |
| channel safety controller | D6F51018 | Ruggedised PCB assembly housed in physically discrete enclosure. This is a physical electronic device — a circuit board with microprocessor, relay drivers, and discrete I/O connectors. Mounted in vehicle electronics bay as a Line-Replaceable Unit (LRU). Has physical mass, volume, connectors, and mechanical mounting. Implements IEC 61508 SIL 3 hardware fault tolerance. Physically separate redundant channel. Physical Object with electrical inputs and relay outputs. |
| Communications and Data Link Interface | 40E57219 | System function of Remote Weapon Station (RWS): manages external data interfaces — tactical data link (MIL-STD-6016 or BMS protocol) for target handoff, blue force tracking, and sensor imagery export; CAN-bus vehicle interface for vehicle status and GPS/navigation data; RS-422 for precision navigation input. Inputs: BMS messages, GPS NMEA, vehicle CAN. Outputs: compressed sensor video at 15 fps, position reports at 1 Hz, target data, engagement status. Performance: latency <200ms for engagement-critical messages. |
| Communications Interface Unit | D4E57019 | Subsystem of Remote Weapon Station (RWS): manages all external digital interfaces. Contains: CAN-bus controller (vehicle bus interface for power management, vehicle status, GPS/INS data), RS-422 interface for precision navigation, MIL-STD-6016 tactical data link modem interface (target handoff, blue force tracking, engagement status), video encoder for sensor imagery compression and export (H.264 at 15 fps), and Ethernet switch for internal subsystem network. Data latency <200ms for engagement-critical messages. |
| Daylight Television Camera | D6C55019 | High-resolution CCD/CMOS day channel camera co-boresighted with thermal imager on the RWS sensor head. 0.3 mrad minimum IFOV with 2x to 10x continuous optical zoom. Provides colour imagery at 50Hz frame rate via GigE Vision. Sensor stabilised on same 2-axis gimbal as thermal camera. Used as primary channel for target identification and engagement in daylight conditions. |
| DC-DC Converter Array | D6D51018 | Multi-output DC-DC converter module in the RWS PDU providing regulated supply rails: 28VDC (pass-through, 15A), 12VDC (5A for sensors and cameras), 5VDC (3A for digital logic), 3.3VDC (2A for FPGAs). Synchronous buck topology, >90% efficiency, MIL-STD-704F compliant. Input 18-32VDC. Output ripple <50mV p-p. Soft-start and overcurrent protection per rail. Operating temperature -40°C to +71°C, MIL-STD-810G vibration. |
| Degraded Operation mode of RWS | 00B47200 | Fallback operational mode when one or more subsystems have failed: single-sensor operation (thermal or day only), manual tracking (auto-tracker failed), backup power (vehicle main power lost), reduced stabilization (one gyro failed). Weapon may still be fireable with degraded accuracy. Entry: automatic transition when Built-In Test detects subsystem failure. Exit: fault cleared and full capability restored, or crew commands stow. Operator receives degradation warnings with specific capability loss indicated on display. |
| Degraded sensor operation scenario | 00144200 | Degraded operations scenario: During desert patrol at 1400hrs, thermal crossover renders thermal imager ineffective — targets blend with ambient background temperature. RWS BIT detects low thermal contrast and alerts operator. Operator switches to day camera as primary sensor. Auto-tracker performance degrades in day-only mode due to reduced contrast in dust haze. Operator falls back to manual tracking. Engagement accuracy reduced but weapon system remains functional. Operator reports degradation to commander who adjusts patrol timing to avoid crossover period. |
| Dismounted Infantry operating near RWS vehicle | 01040021 | Personnel operating on foot near the RWS-equipped vehicle: at risk from uncommanded turret motion and weapon discharge. Must trust the RWS safety systems when working within the turret sweep zone. Coordinate with VC for fire support from the RWS. Primary safety concern — they are in the hazard zone. |
| Dual-Channel Safety Controller | D6E53058 | Dual-redundant safety controller implemented as two physically separate processing boards in a common housing, each independently processing firing inhibit logic via IEC 61508 SIL 3 architecture. Physical LRU with dedicated power supply, discrete I/O for safety interlocks, and hardened relay outputs for firing circuit break. Installed in turret electronics bay adjacent to safety interlock relays. |
| E-stop and Link Watchdog Module | D6C55018 | Dedicated hardware module within the Safety Interlock System of a Remote Weapon Station that monitors two independent safe-state triggers: (1) physical Emergency Stop button (hardwired, normally-closed circuit) and (2) data link heartbeat timeout (asserts safe state if no valid operator heartbeat for >200ms). Both channels are hardwired to the Dual-Channel Safety Controller — no software processing path. Provides galvanically isolated digital status outputs to safety controller at 100Hz polling rate. Operating on 28VDC, -40°C to +70°C. |
| Electro-Optical Sensor Assembly | D7F55019 | Subsystem of Remote Weapon Station (RWS): integrated sensor head containing day CCD camera (0.3 mrad IFOV, dual-FOV 18°/3°), uncooled LWIR thermal imager (50mK NETD, 640x512, dual-FOV), and eye-safe laser rangefinder (200-3000m, ±5m accuracy). Gimballed on the weapon cradle for co-boresighted operation. IP67 sealed with anti-condensation heater. Outputs analog/digital video to FCS and OCU. Operating temperature -46°C to +71°C. Contains auto-focus, electronic zoom, video recording, and automatic target detection algorithms. |
| Elevation Drive Motor and Gearbox | D7D51018 | Brushless DC motor with worm gearbox driving -20° to +55° elevation of the RWS weapon assembly. Provides 0°/s to 30°/s elevation slew rate with 0.1 mrad pointing accuracy. Self-locking worm drive ensures weapon elevation holds position on power loss without brake engagement. Output torque 200 Nm. Encoder provides 20-bit position feedback to Turret Drive Controller. |
| EMC Filter and Surge Protection Assembly | C6851058 | Passive EMC and transient voltage suppression assembly at the signal and power ingress of the RWS CIU. Provides MIL-STD-461G CE101/CE102 conducted emissions suppression on the 28VDC supply to the CIU. Includes TVS diodes and LC filters on all external signal cables (RS-422, CAN bus, Ethernet) to suppress ESD up to 15kV (IEC 61000-4-2 Level 4). Housed in shielded metal enclosure, passive component no power consumption. Operating temperature -40°C to +85°C. |
| Emergency stop during engagement scenario | 40BD2A00 | Emergency scenario: During engagement, operator notices turret traversing past commanded bearing — uncommanded motion detected. Operator immediately presses E-STOP. System de-energises turret drives, applies mechanical brakes, safes weapon firing circuit within 200ms. Turret halts. Operator reports malfunction. Commander orders vehicle to withdraw. Maintenance crew investigates — finds azimuth encoder producing erroneous position feedback causing servo loop instability. LRU replacement of azimuth encoder assembly required. BIT re-run confirms fix before return to operational status. |
| Emergency Stop mode of RWS | 40B53A51 | Safety shutdown mode: weapon immediately safed, turret drive motors de-energised, mechanical brakes applied, all fire interlocks engaged. Entry: operator presses emergency stop, or safety system detects critical fault (e.g., uncommanded turret motion, fire in turret, ammunition cookoff detection). Exit: manual reset by crew after fault investigation. All sensor recording preserved for incident analysis. This is the system safe state for all weapon-related hazards. |
| Engagement mode of RWS | 55F53A11 | Active weapon engagement mode: weapon armed, fire safety interlocks cleared by operator (two-stage arm sequence), target tracked via electro-optical sensors or automatic tracker, ballistic solution computed and applied to weapon aim point. Operator has authority to fire. Entry: operator arms weapon from surveillance mode after positive target identification. Exit: operator safes weapon (returns to surveillance), ammunition exhausted, or system enters emergency stop. Maximum power draw, stabilization at highest performance, all sensors recording. |
| Failure to safe weapon | 00050211 | Hazard in RWS: weapon does not return to safe state when commanded by operator or safety system. Firing circuit remains energised, or mechanical safety does not engage. Consequence: subsequent uncommanded discharge possible, crew unable to safely approach weapon for maintenance or clearing. Particularly dangerous during emergency stop or after a malfunction. Failure of the safe-state transition mechanism. |
| Field maintenance barrel change scenario | 50853A10 | Maintenance scenario: After sustained engagement (500+ rounds), weapon barrel requires change per maintenance schedule. Vehicle withdraws to maintenance area. Crew initiates maintenance mode — clears weapon (verifies empty chamber), removes ammunition belt, powers down turret electronics, engages mechanical locks on azimuth and elevation. Armourer changes barrel assembly (15-minute task), inspects feed mechanism, checks ammunition storage temperature. Re-loads ammunition, releases mechanical locks, powers up system, runs BIT. BIT passes — system returned to stowed mode for movement. |
| Fire Control Computation | 51F77B19 | System function of Remote Weapon Station (RWS): computes ballistic fire control solution from target range (LRF), target motion (tracker), vehicle motion (IMU), environmental inputs (temperature, crosswind, air pressure), ammunition type, and weapon ballistic tables. Outputs: weapon lead angle, superelevation correction, fire/no-fire signal. Performance: solution update at 10 Hz, engagement accuracy contribution <0.3 mrad systematic error. |
| Fire Control Computer | 51B73219 | |
| fire control system | D7F73019 | The Fire Control System (FCS) is a sealed aluminium Line-Replaceable Unit (LRU) housing the Fire Control Computer (FCC), Target Tracking Processor (TTP), Ballistic Computation Module (BCM), and Weapon Control Interface (WCI). It is a physical box meeting MIL-STD-810H environmental requirements, mounted inside the turret structure, drawing 28VDC power. It processes sensor imagery, computes fire solutions, and commands the weapon via digital outputs. Volume ≤8L, mass ≤6kg. |
| Fire Control System | DBF73819 | Ruggedized LRU packaged subsystem integrating ballistic computation module, fire control computer, and target tracking processor. Physical chassis is a sealed enclosure meeting MIL-STD-810H vibration and humidity profiles. Contains CPU, DSP, power conditioning circuitry. Manages weapon engagement sequence, ballistic trajectory calculation, and target track. Installed in vehicle turret electronics bay. |
| Friendly fire due to target misidentification | 00000201 | Hazard in RWS: operator engages friendly forces or civilians due to sensor degradation (obscured optics, thermal crossover), incorrect IFF data, situational awareness loss in restricted FOV, or confusion in complex urban environment. Consequence: fratricide, civilian casualties. RWS narrow sensor FOV (typically 2-20 degrees) limits peripheral awareness compared to direct observation. Compounded by thermal imager limitations during crossover periods. |
| GPS/Navigation System | 54E57019 | Vehicle GPS receiver providing position data to the RWS fire control computer for ballistic computation (Coriolis correction, map datum), target location reporting, and sensor geo-referencing. Interface via RS-422 or CAN-bus providing NMEA-0183 or military GPS format (DAGR/PLGR). Position accuracy requirement: <10m CEP. |
| Gunner Hand Controller | D6CD5019 | Dual-hand 6-axis joystick assembly providing azimuth slew, elevation slew, zoom, fire, arm, and mode selection inputs to the Weapon Control Interface. Spring-return to center. Thumb-operated firing trigger with guard. Outputs to Fire Control Computer via USB HID at 100Hz. Ergonomically designed for one-hand operation when required. Meets MIL-STD-461G EMC requirements. |
| Hardware Firing Interlock Relay | D6F51019 | Normally-open, fail-safe electromechanical relay assembly in series with the weapon firing solenoid circuit within the Safety Interlock System. Provides hardware-enforced firing cut-out that is physically independent of fire control software. Energised only when both the Dual-Channel Safety Controller asserts fire-enable AND the Arming Key Switch is in ARMED position. Drives 24VDC firing solenoid. Response time <10ms to de-energise on safe state command. |
| Host Vehicle Platform | DE851019 | Armored fighting vehicle (IFV, APC, MRAP) on which the RWS is mounted. Provides 28VDC power supply, CAN-bus data interface for vehicle integration (speed, heading, GPS), mounting ring interface (NATO standard turret ring), and structural support for recoil loads up to 25kN. Vehicle hull provides ballistic protection for the operator and electronics. |
| IED strike control link loss scenario | 40840200 | Failure scenario: Vehicle strikes IED during movement. Blast damages cable harness between hull operator station and turret assembly. RWS detects control link loss while weapon is in surveillance mode (safed). Hardware safety automatically locks turret and confirms weapon safe state within 500ms. Operator display shows LINK LOST status. Vehicle crew assesses damage, determines RWS inoperable. Crew secures weapon manually via turret-mounted manual safety, continues mission with RWS degraded-out. Field maintenance required to replace cable harness. |
| Initialization/BIT mode of RWS | 51F53A00 | Power-up and built-in-test mode of a Remote Weapon Station. System energizes in safe state, runs comprehensive self-diagnostics on servo drives, sensor alignment, FCS computation, ammunition feed sensors, and safety interlock circuits. Reports fault status to operator console. Servo drives exercised to verify freedom of motion and encoder calibration. LRF self-test with internal reference. Duration 30-90 seconds depending on ambient temperature. Prevents transition to Surveillance until all safety-critical BIT checks pass. |
| laser rangefinder | D4C55019 | |
| Loss of operator control while weapon armed | 01041211 | Hazard in RWS: communication link between operator control unit and turret assembly fails while weapon is in armed state. Causes: cable damage from IED blast, connector vibration failure, electronics failure. Consequence: weapon remains armed with no operator input, turret may drift or hold last commanded position. If auto-tracker is engaged, system may continue tracking a target without operator oversight. Requires independent hardware safety to force weapon safe on link loss. |
| Maintenance mode of RWS | 40943A10 | Depot or field maintenance mode: weapon removed or barrel cleared, all ammunition removed, turret power isolated via lockout-tagout, mechanical locks engaged on azimuth and elevation drives. Allows crew or technician to perform preventive maintenance, replace Line Replaceable Units (LRUs), update software, run diagnostic tests. Entry: crew initiates maintenance sequence with weapon cleared and verified safe. Exit: maintenance complete, Built-In Test passes, crew authorises return to stowed mode. Safety interlocks prevent any turret motion or weapon function. |
| OCU Control Processing Unit | D1F57018 | Embedded computer handling operator interface logic for the RWS OCU. Receives sensor video from FCC, composites overlay graphics, drives the Operator Display Unit, and forwards operator hand controller inputs to FCC. Manages BITE display, system status, and operator alerts. Communicates with FCC via 100BASE-TX Ethernet. Executes OCU software on COTS SBC running Linux RTOS. |
| Operator Control Unit | D4ED5019 | Subsystem of Remote Weapon Station (RWS): hull-mounted operator station with ruggedised 15-inch day/night-readable LCD display, dual hand controllers (palm grip with thumb controls for mode, FOV, fire trigger, and slew), emergency stop button, weapon arm/safe panel with guarded switches. Presents sensor video with FCS overlay (reticle, range, lead angle, mode indicators), BIT status, fault alerts. MIL-STD-1472 human factors design. Connected to turret via armoured cable harness through hull penetration. |
| Operator Display Unit | D6CC5018 | Rugged 15-inch sunlight-readable LCD touchscreen display for RWS gunner station. Displays dual-channel (day/thermal) video from EOSA, overlaid with target markers, range data, system status, and BITE indicators. 1920x1080 resolution, 1500 nit brightness for daylight readability. Touch interface for menu navigation. Connected to Fire Control Computer via DVI-D video and USB for touch input. |
| Operator Interface and Display | 50FD7819 | System function of Remote Weapon Station (RWS): presents sensor imagery, system status, fire control data, and BIT results to the vehicle commander via a ruggedised display panel with hand controllers. Receives operator commands (mode select, weapon arm/safe, fire trigger, sensor select, FOV, E-STOP). Inputs: sensor video, FCS overlay data, BIT status. Outputs: operator commands to FCS, mode transitions to state machine. Interface: MIL-STD-1472 human factors, day/night readable display. |
| Power Conditioning and Distribution | 54F53018 | System function of Remote Weapon Station (RWS): receives 28VDC from host vehicle and conditions/distributes power to all RWS subsystems — servo drives, sensors, FCS electronics, OCU, safety circuits. Manages power sequencing, surge protection, voltage regulation, and emergency power for safety-critical functions (firing interlock, brakes). Inputs: 28VDC vehicle bus. Outputs: regulated power rails (28V drive, 12V logic, 5V sensor). Performance: 2kW peak during full traverse with weapon firing, 500W nominal surveillance. |
| Power Distribution and Protection Module | D6B53018 | Load switching and protection module in the RWS PDU. Contains solid-state power controllers (SSPC) for each subsystem load: FCS (8A), TDA (12A), EOSA (4A), SIS (2A), CIU (3A), OCU (2A). Each SSPC provides electronic circuit breaking with adjustable trip threshold, inrush current limiting, and load shedding capability. Controlled via RS-422 serial from the Power Monitor and Control Unit. 28VDC, -40°C to +71°C. |
| Power Distribution Unit | D6C51018 | |
| Power Monitor and Control Unit | D5F77018 | Supervisory control and monitoring processor in the RWS PDU. Monitors voltage, current, and temperature on each power rail and subsystem supply branch using precision ADCs (12-bit, 1kHz sampling). Reports power consumption telemetry to FCS and OCU via RS-422. Commands SSPC load shedding during overload or fault conditions. Generates BIT fault codes for maintenance. Runs on embedded microcontroller with 100ms control loop. SIL 0, non-safety-critical. 28VDC, 2W. |
| Primary Power Input Filter and Surge Arrester | C6853058 | EMI/EMC input filter and transient voltage suppression (TVS) at the 28VDC power input of the RWS Power Distribution Unit. Provides MIL-STD-461G CE101/CE102 conducted emissions attenuation, STANAG 1008 compliant surge protection up to 100V/100µs transient per MIL-STD-1275E. Series inductor-capacitor LC filter with TVS diode array. Passes up to 3.5kW peak load. Passive assembly, no control electronics. -40°C to +85°C. |
| Recoil Buffer and Damping System | CED51019 | Spring-hydraulic recoil attenuation assembly mounted between weapon receiver and cradle. Absorbs initial 25kN peak recoil impulse and dissipates energy over 80mm stroke to reduce transmitted force to turret structure. Must not exceed 5kN residual force at buffer end-of-stroke. Operates across -40°C to +70°C temperature range without seal failure or hydraulic cavitation. |
| Remote Weapon Station (RWS) | DEF53059 | A remotely operated, stabilized weapon platform mounted on armored fighting vehicles (AFVs), naval vessels, or fixed installations. The operator acquires targets and engages from a protected position inside the vehicle using electro-optical sensors (daylight camera, thermal imager, laser rangefinder) and a stabilized weapon mount supporting medium-calibre machine guns (7.62mm, 12.7mm), automatic grenade launchers, or anti-tank guided missiles. The RWS provides 360-degree azimuth traverse, elevation from -20 to +60 degrees, two-axis stabilization for fire-on-the-move capability, and ballistic computation. Operates in desert, arctic, tropical, and urban environments at temperatures from -46°C to +71°C. Safety-critical system requiring SIL 2 minimum for weapon firing chain. Subject to NATO STANAG 4569 for ballistic protection integration and MIL-STD-810 for environmental qualification. |
| RWS System Integrator (OEM) | 40853879 | Defence contractor responsible for design, manufacture, integration, and through-life support of the RWS. Integrates RWS onto multiple vehicle platforms. Responsible for safety case, environmental qualification, type certification, software assurance, and logistics support. Must comply with DEF STAN 00-56 safety management and IEC 61508 functional safety. |
| Safe State Output Driver | D0D51018 | Galvanically isolated relay driver module within the Safety Interlock System that conditions Dual-Channel Safety Controller digital outputs to drive high-current actuators: mechanical brake solenoids (24VDC, 2A each, two turret axes) and weapon firing inhibit relay coil. Fail-safe design: de-energised state (no drive signal) corresponds to brakes engaged and firing inhibited. Provides 1500V isolation between safety logic and actuator circuits. Response time <5ms from command to actuator state change. |
| Safety Interlock System | D2B53859 | Subsystem of Remote Weapon Station (RWS): hardware safety chain implementing SIL 3 firing interlock and SIL 2 turret motion safety. Contains: hardwired E-STOP circuit (mushroom button at OCU and external maintenance panel), maintenance mode interlock switches on access panels, weapon arm relay (two-action independent of FCS software), control link watchdog timer (200ms hardware timeout), firing circuit relay (fail-open, spring-return), turret brake release relay. All safety relays are fail-safe (de-energise to safe state). Independent of FCS software per IEC 61508 architectural constraint. |
| Sensor Head Stabilisation Platform | DFB51008 | 2-axis (azimuth and elevation) gyro-stabilised gimbal isolating the thermal imager and day camera from turret platform vibration. Provides stabilisation to 0.1 mrad RMS residual jitter at 5Hz-100Hz vibration input up to 5 mrad/s. Gyro feedback from fibre optic gyroscopes (FOG). Stabilisation electronics interface to Turret Drive Controller for turret-stabilisation decoupling. |
| Software fault causing uncommanded fire | 41213159 | Hazard in RWS: fire control software erroneously asserts fire command due to race condition, buffer overflow, state machine corruption, or incorrect sensor data interpretation. Distinct from electrical uncommanded discharge — this is a logic error in safety-critical software. Consequence: same as uncommanded discharge but with potentially systematic rather than random failure mode. Requires SIL 2+ software development per IEC 61508 Part 3. |
| Stowed/Travel mode of RWS | 40940A00 | Non-operational transport mode: weapon is safed, turret locked to travel position (typically forward), sensors powered down or in standby. Entry: crew secures weapon and initiates stow command. Active during road marches, rail transport, and air transport. Exit: crew commands transition to surveillance mode upon entering operational area. Power draw minimal, vehicle CAN-bus heartbeat maintained. |
| Surveillance mode of RWS | 55FD3201 | Operational observation mode: weapon safed but turret unlocked and traversable, all electro-optical sensors active (day camera, thermal imager, laser rangefinder on standby), stabilization engaged. Operator scans sectors using joystick or auto-scan patterns. Entry: crew transitions from stowed mode upon reaching operational area. Exit: operator identifies threat and transitions to engagement mode, or crew commands stow. Full power draw, continuous sensor video feed to operator display. |
| Tactical Commander (Platoon/Company) | 018D7AF9 | Commands the formation of which the RWS-equipped vehicle is a part. Authorises engagement in accordance with rules of engagement. Needs RWS sensor imagery shared via tactical data link for situational awareness. Relies on RWS engagement effectiveness data for tactical planning and battle damage assessment. |
| Tactical Data Link (Battle Management System) | 50F57B59 | Battlefield management system providing digital communications between vehicles and command posts. Receives target handoff data, blue force tracking, and rules of engagement updates. Exports RWS sensor imagery, engagement data, and weapon status to the tactical network. Typically MIL-STD-6016 or national BMS protocol over UHF/VHF or wideband radio. |
| Tactical Data Link Processor | 50F57258 | |
| Target Detection and Tracking | 55F53219 | System function of Remote Weapon Station (RWS): acquires targets using EO/TI sensors, performs automatic video tracking with centroid/correlation tracker, maintains weapon-target alignment during vehicle motion. Inputs: sensor video streams (EO 640x480 day, TI 640x480 LWIR), vehicle motion (IMU/gyro), operator designation. Outputs: target position (azimuth/elevation/range), track quality metric, tracking error signal to servo loop. Performance: 0.5 mrad RMS tracking error on 30 km/h crossing target at 500m, 10 Hz update rate. |
| Target Tracking Processor | D1F77219 | Dedicated video processing board within the FCS that runs the auto-tracking algorithm. Receives compressed H.264 video frames from the EOSA at 50Hz via GigE. Implements template-matching and Kalman filter-based tracker to maintain a 3D target state estimate (position, velocity). Outputs target centroid in image coordinates and angular track error at 50Hz to the Fire Control Computer. Falls back to inertial hold mode when image quality drops below threshold. |
| Thermal Imaging Camera | D4EC5019 | Uncooled or cooled LWIR (8-12 µm) staring focal plane array providing continuous video to the Fire Control Computer and Operator Control Unit. Minimum 0.3 mrad IFOV. Image stabilised against platform vibration to 5 Hz-30 Hz using a 2-axis gimbal. Provides detection of man-size target at ≥3 km in STANAG 4347 standard atmosphere. Digital video output via GigE Vision at 50Hz frame rate. |
| Turret Drive Assembly | DEF51018 | Subsystem of Remote Weapon Station (RWS): dual-axis (azimuth 360° continuous, elevation -20° to +60°) servo-driven turret with brushless DC motors, harmonic drives, optical encoders (21-bit resolution), and spring-applied/electrically-released mechanical brakes. Gyro-stabilised pointing with 0.2 mrad accuracy under MIL-STD-810H Cat 4/8 vibration. Slew rates: 60°/s azimuth, 40°/s elevation. Structural design for 25kN recoil load. NATO turret ring interface. IP67 sealed bearings and slip ring for continuous rotation. |
| Turret Drive Controller | 55F57208 | Real-time motion controller executing closed-loop PID position and velocity control for azimuth and elevation axes. Receives fire control aiming demands at 50Hz from Fire Control Computer via PCIe, executes control law at 1kHz, outputs PWM commands to motor drives. Implements software velocity and travel limits. Monitors encoder health and motor current. Reports turret position at 50Hz to FCS and status at 10Hz to OCU. |
| Turret Position Encoder Assembly | D4E55018 | Dual-redundant absolute position encoders on the azimuth and elevation axes providing 20-bit angular position data at 1kHz to the Turret Drive Controller. Primary encoder is optical absolute; secondary is magnetic incremental for fault detection. Cross-comparison between channels detects encoder failure within 10ms. Output fed to both TDC and SIS for safe-state monitoring. |
| Turret Stabilisation and Drive Control | 55F53019 | System function of Remote Weapon Station (RWS): controls azimuth and elevation servo motors to point the weapon and sensors at commanded bearings with stabilisation against vehicle motion. Uses gyroscope/IMU feedback for disturbance rejection. Inputs: commanded bearing (from tracker or operator), vehicle attitude (IMU), encoder position feedback. Outputs: motor drive signals, brake commands. Performance: 60°/s azimuth slew, 40°/s elevation, 0.2 mrad pointing accuracy under MIL-STD-810H vibration. |
| Uncommanded turret motion | 14400201 | Hazard in RWS: turret traverses or elevates without operator command due to servo controller fault, encoder failure, or software error. Consequence: crushing or striking of personnel working near the vehicle (e.g., dismounted infantry, maintenance crew). High angular velocity of turret (up to 60 deg/s) combined with weapon mass (50-150 kg) creates lethal kinetic energy. Can occur in surveillance, engagement, or maintenance modes. |
| Uncommanded weapon discharge | 50400211 | Hazard in RWS: weapon fires without operator command due to electrical fault in firing circuit, software error in fire control computer, or electromagnetic interference triggering the solenoid. Consequence: death or serious injury to friendly forces, civilians, or damage to own vehicle. Can occur in any mode where ammunition is loaded. Most critical single-point failure in the system. |
| Urban patrol engagement scenario | 55F53231 | Normal operations scenario: Mechanized infantry section conducts mounted patrol in urban area. Vehicle commander (VC) operates RWS in surveillance mode, scanning rooftops and alleyways with thermal imager during early morning patrol. VC identifies suspected hostile with RPG on third-floor balcony at 200m. VC switches to narrow FOV, confirms threat through day camera, reports to platoon commander. On authorization, VC transitions to engagement mode, arms weapon, auto-tracker locks target, ballistic solution computed for 200m range and 15-degree elevation. VC fires 3-round burst of 12.7mm. Post-engagement, VC returns to surveillance mode and continues patrol. |
| Vehicle Commander (RWS Operator) | 008578F9 | Primary operator of the Remote Weapon Station: commands and controls the RWS from inside the armored vehicle, responsible for target acquisition, identification, and engagement decisions. Requires situational awareness through RWS sensors while maintaining command of the vehicle and its crew. Operates under rules of engagement. Typically a non-commissioned officer with weapons qualification. |
| Vehicle Crew (Driver and Loader) | 018D10A8 | Other crew members of the RWS-equipped vehicle: driver and loader/gunner. Affected by RWS vibration, noise, and recoil forces transmitted through the hull. Driver relies on VC for route security via RWS surveillance. Loader responsible for ammunition replenishment and may need to access turret for stoppages. |
| Video Compression and Network Interface Module | D4F57018 | H.264/H.265 hardware video compression module in the RWS CIU. Receives uncompressed YUV video from the EOSA (daylight and thermal channels) at up to 30fps, 1280x1024 resolution. Compresses to target bitrate of 2-8Mbps and encapsulates in RTP/UDP over GigabitEthernet for BMS transmission. Includes dual-port GigE switch capability for internal RWS network. Operates at 28VDC, generates up to 8W heat load. Compliance: MIL-STD-810G temperature/vibration. |
| Weapon and Ammunition Handling Assembly | DFE51019 | Subsystem of Remote Weapon Station (RWS): weapon cradle mounting a 12.7mm or 7.62mm machine gun with powered belt feed mechanism. Contains: dual-path flexible chute from 400-round magazine, ammunition type sensor (optical), electronic round counter, feed motor with jam detection, spent case and link ejection chute, quick-change barrel interface. STANAG 4090 compatible links. Barrel change by single maintainer in <15 min. Recoil buffer absorbs 25kN peak impulse. Weapon elevation driven by TDA but mechanical stops are in WAH. |
| Weapon Control Interface | 50F57A19 | Hardware/firmware interface within the FCS that translates Fire Control Computer firing commands into weapon-specific electrical signals. Manages trigger solenoid activation timing, burst counter, cook-off timing enforcement, and misfire handling sequences. Receives FIRE/CEASE/SAFE commands from FCC over RS-422 link. Outputs 28VDC firing solenoid drive pulse to the weapon trigger mechanism via the Hardware Firing Interlock Relay. Logs round count and fault codes to FCC. |
| Weapon Cradle and Mount | CE851018 | Structural mechanical interface between the weapon receiver and the RWS turret elevation axis. Transmits azimuth and elevation angles from the turret drive to the weapon bore line. Must withstand 25kN peak recoil load from sustained fire cycles with zero permanent deformation. Includes weapon locking latch for secure retention during vehicle mobility and quick-release for barrel change. |
| Weapon Safing and Interlock Management | 51F57B19 | System function of Remote Weapon Station (RWS): manages the safety state machine for weapon discharge — monitors E-STOP, safety interlocks, control link heartbeat, maintenance mode, and operator arm/safe commands. Controls hardware firing interlock relay (SIL 3) and software fire enable gate. Outputs: fire-enable/inhibit signal, safe-state command to turret drives. Performance: 500ms maximum transition to safe state from any trigger. Independent hardware watchdog with 200ms timeout. |
| Weapons System Maintainer | 00843AF9 | Armourer or electronics technician responsible for preventive and corrective maintenance of the RWS. Performs barrel changes, LRU replacement, cable harness repair, software updates, and diagnostic testing. Works in the turret hazard zone during maintenance. Requires lockout-tagout procedures and maintenance mode safety interlocks. |
| Component | Belongs To |
|---|---|
| Electro-Optical Sensor Assembly | Remote Weapon Station (RWS) |
| Fire Control System | Remote Weapon Station (RWS) |
| Turret Drive Assembly | Remote Weapon Station (RWS) |
| Operator Control Unit | Remote Weapon Station (RWS) |
| Safety Interlock System | Remote Weapon Station (RWS) |
| Weapon and Ammunition Handling Assembly | Remote Weapon Station (RWS) |
| Power Distribution Unit | Remote Weapon Station (RWS) |
| Communications Interface Unit | Remote Weapon Station (RWS) |
| Dual-Channel Safety Controller | Safety Interlock System |
| Hardware Firing Interlock Relay | Safety Interlock System |
| Arming Key Switch Assembly | Safety Interlock System |
| E-stop and Link Watchdog Module | Safety Interlock System |
| Safe State Output Driver | Safety Interlock System |
| Fire Control Computer | Fire Control System |
| Target Tracking Processor | Fire Control System |
| Ballistic Computation Module | Fire Control System |
| Weapon Control Interface | Fire Control System |
| Weapon Cradle and Mount | Weapon and Ammunition Handling Assembly |
| Recoil Buffer and Damping System | Weapon and Ammunition Handling Assembly |
| Ammunition Magazine Assembly | Weapon and Ammunition Handling Assembly |
| Belt Feed and Transfer Mechanism | Weapon and Ammunition Handling Assembly |
| Barrel Change Mechanism | Weapon and Ammunition Handling Assembly |
| Azimuth Drive Motor and Gearbox | Turret Drive Assembly |
| Elevation Drive Motor and Gearbox | Turret Drive Assembly |
| Turret Drive Controller | Turret Drive Assembly |
| Azimuth Slip Ring Assembly | Turret Drive Assembly |
| Turret Position Encoder Assembly | Turret Drive Assembly |
| Thermal Imaging Camera | Electro-Optical Sensor Assembly |
| Daylight Television Camera | Electro-Optical Sensor Assembly |
| Laser Rangefinder | Electro-Optical Sensor Assembly |
| Sensor Head Stabilisation Platform | Electro-Optical Sensor Assembly |
| Operator Display Unit | Operator Control Unit |
| Gunner Hand Controller | Operator Control Unit |
| OCU Control Processing Unit | Operator Control Unit |
| Tactical Data Link Processor | Communications Interface Unit |
| Video Compression and Network Interface Module | Communications Interface Unit |
| CAN Bus and Serial Protocol Gateway | Communications Interface Unit |
| EMC Filter and Surge Protection Assembly | Communications Interface Unit |
| Primary Power Input Filter and Surge Arrester | Power Distribution Unit |
| DC-DC Converter Array | Power Distribution Unit |
| Power Distribution and Protection Module | Power Distribution Unit |
| Power Monitor and Control Unit | Power Distribution Unit |
| channel safety controller | Safety Interlock System |
| From | To |
|---|---|
| Dual-Channel Safety Controller | Hardware Firing Interlock Relay |
| Dual-Channel Safety Controller | Safe State Output Driver |
| Arming Key Switch Assembly | Dual-Channel Safety Controller |
| E-stop and Link Watchdog Module | Dual-Channel Safety Controller |
| Target Tracking Processor | Fire Control Computer |
| Fire Control Computer | Ballistic Computation Module |
| Fire Control Computer | Weapon Control Interface |
| Ammunition Magazine Assembly | Belt Feed and Transfer Mechanism |
| Belt Feed and Transfer Mechanism | Weapon Cradle and Mount |
| Weapon Cradle and Mount | Recoil Buffer and Damping System |
| Barrel Change Mechanism | Weapon Cradle and Mount |
| Turret Drive Controller | Azimuth Drive Motor and Gearbox |
| Turret Drive Controller | Elevation Drive Motor and Gearbox |
| Turret Position Encoder Assembly | Turret Drive Controller |
| Azimuth Slip Ring Assembly | Turret Drive Controller |
| Thermal Imaging Camera | Sensor Head Stabilisation Platform |
| Daylight Television Camera | Sensor Head Stabilisation Platform |
| Laser Rangefinder | Sensor Head Stabilisation Platform |
| OCU Control Processing Unit | Operator Display Unit |
| Gunner Hand Controller | OCU Control Processing Unit |
| Tactical Data Link Processor | Battle Management System |
| Video Compression and Network Interface Module | Tactical Data Link Processor |
| CAN Bus and Serial Protocol Gateway | Fire Control Computer |
| Power Distribution and Protection Module | Safety Interlock System |
| Power Monitor and Control Unit | Fire Control Computer |
| Primary Power Input Filter and Surge Arrester | DC-DC Converter Array |
| Primary Power Input Filter and Surge Arrester | Power Distribution and Protection Module |
| Component | Output |
|---|---|
| Dual-Channel Safety Controller | firing-enable-signal |
| Dual-Channel Safety Controller | brake-release-command |
| Hardware Firing Interlock Relay | firing-circuit-state |
| Arming Key Switch Assembly | arm-key-status-signal |
| E-stop and Link Watchdog Module | safe-state-trigger-signal |
| Safe State Output Driver | actuator-drive-signals |
| Fire Control Computer | ballistic fire solution and servo pointing demands |
| Target Tracking Processor | target state estimate and angular track error at 50Hz |
| Ballistic Computation Module | azimuth and elevation corrections in mrad |
| Weapon Control Interface | weapon trigger solenoid firing pulse |
| Recoil Buffer and Damping System | attenuated recoil force |
| Ammunition Magazine Assembly | round-count status |
| Belt Feed and Transfer Mechanism | chambered round |
| Barrel Change Mechanism | barrel retention status |
| Tactical Data Link Processor | MIL-STD-6016 tactical data messages |
| Video Compression and Network Interface Module | compressed sensor video RTP stream |
| CAN Bus and Serial Protocol Gateway | vehicle status UDP datagrams |
| EMC Filter and Surge Protection Assembly | conducted emissions suppression |
| DC-DC Converter Array | regulated 12VDC 5VDC 3.3VDC rails |
| Power Distribution and Protection Module | switched protected 28VDC subsystem feeds |
| Power Monitor and Control Unit | power telemetry and fault codes |
| Source | Target | Type | Description |
|---|---|---|---|
| SYS-REQ-004 | SUB-REQ-045 | derives | Day-channel imaging resolution decomposed to EOSA Day Camera |
| SYS-REQ-018 | SUB-REQ-045 | derives | SYS-REQ-018 PID range at 1500m daylight derives day camera pixel resolution |
| SYS-REQ-018 | SUB-REQ-029 | derives | SYS-REQ-018 PID range at 800m night derives TI camera IFOV resolution |
| SYS-REQ-009 | SUB-REQ-052 | derives | SYS link-loss safe-state budget → FCC watchdog timeout allocation |
| SYS-REQ-007 | SUB-REQ-084 | derives | OCU HMI workload requirement derived from two-action weapon arming |
| SYS-REQ-002 | SUB-REQ-083 | derives | FCC restart time bound derived from engagement latency requirement |
| SYS-REQ-011 | SUB-REQ-082 | derives | Degraded mode performance floor derived from SYS-REQ-011 degraded operation mode |
| SYS-REQ-015 | SUB-REQ-081 | derives | Automated boresight verification derived from barrel change maintainability requirement |
| SYS-REQ-013 | SUB-REQ-080 | derives | TDLP MIL-STD-6016E compliance derived from BMS tactical data link requirement |
| SYS-REQ-007 | SUB-REQ-079 | derives | SYS two-action arming → FCS positive ID acknowledgement requirement |
| SYS-REQ-011 | SUB-REQ-078 | derives | EOSA thermal-only fallback transition derived from degraded operation mode requirement |
| SYS-REQ-008 | SUB-REQ-077 | derives | PDU independent circuit branches derived from safety-critical load independence requirement |
| SYS-REQ-008 | SUB-REQ-076 | derives | BCM data authentication derived from independence of firing interlock from fire control |
| SYS-REQ-009 | SUB-REQ-075 | derives | TTP track-loss inhibit derived from communication-loss weapon safe requirement |
| SYS-REQ-007 | SUB-REQ-074 | derives | WCI dual-confirmation hardware logic derived from two-action arming sequence requirement |
| SYS-REQ-010 | SUB-REQ-073 | derives | FCC safe-state response derived from Emergency Stop safe-state system requirement |
| SYS-REQ-013 | SUB-REQ-072 | derives | TDLP power envelope derived from BMS data link transmission requirement |
| SYS-REQ-013 | SUB-REQ-071 | derives | TDL cybersecurity derives from MIL-STD-6016 data link requirement |
| SYS-REQ-001 | SUB-REQ-070 | derives | BCM output specification derives from first-round hit probability requirement |
| SYS-REQ-006 | SUB-REQ-069 | derives | TTP output specification derives from auto-track accuracy requirement |
| SYS-REQ-015 | SUB-REQ-067 | derives | Automated boresight verification decomposed to FCS |
| SYS-REQ-013 | SUB-REQ-066 | derives | BMS tactical data link decomposed to CIU |
| SYS-REQ-011 | SUB-REQ-065 | derives | Degraded-mode day camera operation decomposed to EOSA and FCS |
| SYS-REQ-003 | SUB-REQ-064 | derives | TDA traverse/slew envelope decomposed from system kinematic requirement |
| SYS-REQ-001 | SUB-REQ-063 | derives | FCS stabilisation decomposed from system hit probability |
| SYS-REQ-008 | SUB-REQ-062 | derives | Hardware firing interlock relay spec derives from requirement for hardware independence of firing chain |
| SYS-REQ-016 | SUB-REQ-061 | derives | SIS environmental qualification necessary to achieve system MTBCF ≥8000h |
| SYS-REQ-008 | SUB-REQ-061 | derives | SIS environmental hardening derives from system-level hardware firing interlock independence requirement |
| SYS-REQ-016 | SUB-REQ-060 | derives | TDA environmental protection derives from system MTBCF and environmental qualification requirements |
| SYS-REQ-007 | SUB-REQ-059 | derives | BCM data integrity derives from two-action arming security requirement |
| SYS-REQ-001 | SUB-REQ-058 | derives | SYS stabilised fire control → TDC stabilisation control loop |
| SYS-REQ-011 | SUB-REQ-057 | derives | SYS degraded operation → OCU degraded mode annunciation |
| SYS-REQ-009 | SUB-REQ-056 | derives | SYS control link loss → CIU link heartbeat monitoring |
| SYS-REQ-009 | SUB-REQ-027 | derives | SYS control link loss → TDA drive de-energise |
| SYS-REQ-009 | SUB-REQ-017 | derives | SYS control link loss → FCS weapon safe on SAFE_STATE |
| SYS-REQ-001 | SUB-REQ-014 | derives | SYS fire control accuracy → TTP auto-track |
| SYS-REQ-001 | SUB-REQ-013 | derives | SYS fire control accuracy → FCC closed-loop rate |
| SYS-REQ-016 | SUB-REQ-054 | derives | MTBCF requirement derives PDU SSPC fault isolation specification |
| SYS-REQ-008 | SUB-REQ-053 | derives | Hardware interlock requirement derives WCI fail-safe output specification |
| SYS-REQ-008 | SUB-REQ-052 | derives | SYS hardware interlock independence → FCC hardware watchdog implementation |
| SYS-REQ-008 | SUB-REQ-051 | derives | Hardware interlock requirement derives relay material specification |
| SYS-REQ-016 | SUB-REQ-050 | derives | MTBCF requirement derives physical packaging LRU spec for FCS |
| SYS-REQ-001 | SUB-REQ-049 | derives | Moving-vehicle FRHP requirement drives EOSA stabilisation error budget |
| SYS-REQ-015 | SUB-REQ-048 | derives | Automated boresight verification decomposed to FCC alignment routine |
| SYS-REQ-015 | SUB-REQ-047 | derives | Maintainer and tool set constraints for barrel change/jam clearance |
| SYS-REQ-016 | SUB-REQ-047 | derives | System MTTR requirement decomposed to WAHA for highest-frequency maintenance tasks |
| SYS-REQ-016 | SUB-REQ-046 | derives | System MTBCF requirement allocated to FCS as highest-complexity subsystem |
| SYS-REQ-011 | SUB-REQ-045 | derives | Day camera as fallback sensor in degraded operation mode |
| SYS-REQ-007 | SUB-REQ-001 | derives | SIL-3 two-action arming requires 1oo2D redundancy in safety controller |
| SYS-REQ-007 | SUB-REQ-002 | derives | Two-action arming sequence decomposed into key+software coincidence window |
| SYS-REQ-008 | SUB-REQ-003 | derives | Hardware firing interlock independence decomposed to HFI relay design |
| SYS-REQ-008 | SUB-REQ-004 | derives | Firing interlock must open before next firing cycle |
| SYS-REQ-009 | SUB-REQ-005 | derives | Link loss safing decomposes to watchdog module 200ms trigger |
| SYS-REQ-010 | SUB-REQ-006 | derives | E-stop decomposes to Safe State Output Driver 50ms actuator de-energise |
| SYS-REQ-007 | SUB-REQ-007 | derives | SIL-3 arming chain includes maintenance lockout as a key switch position |
| SYS-REQ-007 | SUB-REQ-008 | derives | SIL-3 requires automatic safe state transition on fault detection |
| SYS-REQ-008 | SUB-REQ-009 | derives | SIS independence requirement drives SIS power supply specification |
| SYS-REQ-003 | SUB-REQ-010 | derives | Slew rate requirement drives TDA power budget |
| SYS-REQ-001 | SUB-REQ-011 | derives | Hit probability accuracy requirement drives FCS continuous power availability |
| SYS-REQ-004 | SUB-REQ-012 | derives | Imaging resolution requirement drives EOSA power supply stability specification |
| SYS-REQ-006 | SUB-REQ-013 | derives | FCC 50Hz loop rate derives from system tracking accuracy requirement |
| SYS-REQ-006 | SUB-REQ-014 | derives | TTP 0.2 mrad track error budget derives from system 0.5 mrad tracking requirement |
| SYS-REQ-001 | SUB-REQ-015 | derives | BCM 20ms latency derives from first-round hit probability and engagement time |
| SYS-REQ-002 | SUB-REQ-016 | derives | WCI 5ms actuation latency derives from engagement time budget |
| SYS-REQ-008 | SUB-REQ-017 | derives | FCS safe-state response to SIS derives from hardware firing interlock requirement |
| SYS-REQ-011 | SUB-REQ-018 | derives | FCS degraded-mode performance derives from system degraded operation requirement |
| SYS-REQ-012 | SUB-REQ-019 | derives | FCS BIT time derives from system-level BIT completion requirement |
| SYS-REQ-014 | SUB-REQ-022 | derives | Weapon Cradle and Mount recoil withstand requirement |
| SYS-REQ-014 | SUB-REQ-023 | derives | Recoil buffer force attenuation requirement |
| SYS-REQ-015 | SUB-REQ-024 | derives | Barrel change mechanism time and access requirement |
| SYS-REQ-008 | SUB-REQ-025 | derives | Barrel retention fire permit safety requirement |
| SYS-REQ-001 | SUB-REQ-026 | derives | TDA pointing accuracy allocation from hit probability |
| SYS-REQ-010 | SUB-REQ-027 | derives | Drive inhibit safe state for E-stop |
| SYS-REQ-003 | SUB-REQ-028 | derives | Azimuth drive range and rate allocation |
| SYS-REQ-004 | SUB-REQ-029 | derives | Thermal IFOV allocation from day-channel imaging requirement |
| SYS-REQ-005 | SUB-REQ-030 | derives | LRF accuracy and eye-safe classification |
| SYS-REQ-011 | SUB-REQ-031 | derives | EOSA degraded mode with thermal failure |
| SYS-REQ-002 | SUB-REQ-032 | derives | SYS 8s engagement sequence → ODU display latency allocation |
| SYS-REQ-002 | SUB-REQ-033 | derives | SYS 8s engagement sequence → GHC command rate and latency allocation |
| SYS-REQ-013 | SUB-REQ-034 | derives | TDP throughput derives from BMS data link requirement |
| SYS-REQ-013 | SUB-REQ-035 | derives | VCNI video compression derives from BMS video requirement |
| SYS-REQ-017 | SUB-REQ-037 | derives | EMC filter derives from EMC compliance requirement |
| SYS-REQ-016 | SUB-REQ-039 | derives | SSPC fault isolation derives from reliability/availability requirement |
| SYS-REQ-013 | SUB-REQ-036 | derives | CAN gateway derives from BMS comms and navigation data requirement |
| SYS-REQ-016 | SUB-REQ-040 | derives | DC-DC regulation derives from system MTBCF reliability requirement |
| SYS-REQ-012 | SUB-REQ-041 | derives | PMCU telemetry derives from BIT and self-test requirement |
| SYS-REQ-016 | SUB-REQ-038 | derives | PDU input spec derives from reliability requirement |
| SYS-REQ-009 | SUB-REQ-020 | derives | FCC watchdog safe-state transition derives from link-loss safe state requirement |
| SYS-REQ-016 | SUB-REQ-021 | derives | FCC power supply spec derives from reliability/MTBCF requirement |
| SYS-REQ-008 | SUB-REQ-042 | derives | DCSC power supply spec derives from hardware firing interlock requirement |
| SYS-REQ-008 | SUB-REQ-043 | derives | HFIR power and timing spec derives from hardware firing interlock requirement |
| SYS-REQ-003 | SUB-REQ-044 | derives | Elevation axis coverage decomposed to TDA elevation drive |
| SYS-REQ-002 | IFC-REQ-024 | derives | OCU-FCC command latency budget derives from engagement timeline |
| SYS-REQ-003 | IFC-REQ-022 | derives | Slip ring power/data capacity derives from 360° traverse requirement |
| SYS-REQ-014 | IFC-REQ-020 | derives | Belt tension interface derives from structural/recoil requirement |
| SYS-REQ-008 | IFC-REQ-017 | derives | WCI command interface derives from hardware firing interlock requirement |
| SYS-REQ-001 | IFC-REQ-016 | derives | BCM-FCC data interface derives from hit probability requirement |
| SYS-REQ-009 | IFC-REQ-028 | derives | SIS always-on derives from link-loss safe state requirement |
| SYS-REQ-012 | IFC-REQ-029 | derives | Power telemetry interface derives from BIT and self-test requirement |
| SYS-REQ-013 | IFC-REQ-027 | derives | GPS distribution interface derives from system navigation requirement |
| SYS-REQ-013 | IFC-REQ-026 | derives | VCNI-TDP internal interface derives from video/data link requirement |
| SYS-REQ-013 | IFC-REQ-025 | derives | TDP-BMS interface derives from system BMS comms requirement |
| SYS-REQ-002 | IFC-REQ-021 | derives | FCC-TDC aiming interface from engagement timeline |
| SYS-REQ-013 | IFC-REQ-019 | derives | Round-count status data interface to FCC |
| SYS-REQ-008 | IFC-REQ-018 | derives | Barrel retention hardware interlock interface |
| SYS-REQ-015 | IFC-REQ-005 | derives | Single-maintainer maintainability requirement drives ammunition supply interface specification |
| SYS-REQ-016 | IFC-REQ-002 | derives | Reliability requirement drives vehicle power interface quality specification |
| SYS-REQ-006 | IFC-REQ-004 | derives | Auto-tracking accuracy requirement drives GPS position data interface specification |
| SYS-REQ-013 | IFC-REQ-003 | derives | System status transmission requirement drives vehicle CAN-bus interface specification |
| SYS-REQ-010 | IFC-REQ-014 | derives | Safe state output interface derives from E-stop actuator response requirement |
| SYS-REQ-009 | IFC-REQ-012 | derives | Link watchdog interface derives from link-loss safe state requirement |
| SYS-REQ-008 | IFC-REQ-013 | derives | Hardware firing interlock interface derives from SYS-REQ-008 HW diversity |
| SYS-REQ-007 | IFC-REQ-011 | derives | Hardware arm input interface derives from two-action arming requirement |
| SYS-REQ-003 | IFC-REQ-008 | derives | Traverse performance derives servo interface rate |
| SYS-REQ-004 | IFC-REQ-007 | derives | Sensor performance derives EOSA-FCS video interface |
| SYS-REQ-010 | IFC-REQ-010 | derives | E-STOP braking derives SIS-TDA brake interface |
| SYS-REQ-008 | IFC-REQ-009 | derives | SYS hardware interlock requirement → SIS-WAH relay interface specification |
| SYS-REQ-013 | IFC-REQ-006 | derives | Data link rate derives BMS interface specification |
| SYS-REQ-014 | IFC-REQ-001 | derives | SYS structural load requirement → turret ring interface characterisation |
| STK-REQ-002 | SYS-REQ-018 | derives | STK-REQ-002 operational PID range flows to SYS-REQ-018 explicit range requirement |
| STK-REQ-017 | SYS-REQ-016 | derives | IP67 ingress protection requirement contributes to MTBCF reliability specification |
| STK-REQ-011 | SYS-REQ-015 | derives | Loader replenishment need drives single-maintainer accessibility requirement |
| STK-REQ-009 | SYS-REQ-007 | derives | LOTO maintenance safety requirement drives two-action arming and interlock specification |
| STK-REQ-016 | SYS-REQ-017 | derives | Environmental hardening drives EMC compliance |
| STK-REQ-016 | SYS-REQ-012 | derives | Temperature range drives cold-start BIT time |
| STK-REQ-015 | SYS-REQ-008 | derives | SIL 3 compliance drives hardware interlock |
| STK-REQ-014 | SYS-REQ-016 | derives | LRU design drives MTTR target |
| STK-REQ-013 | SYS-REQ-009 | derives | Link loss auto-safe drives 500ms safing |
| STK-REQ-012 | SYS-REQ-011 | derives | Degraded ops drives single-sensor engagement |
| STK-REQ-010 | SYS-REQ-014 | derives | Crew isolation drives recoil structural requirement |
| STK-REQ-008 | SYS-REQ-015 | derives | Maintainability drives barrel change time |
| STK-REQ-007 | SYS-REQ-008 | derives | Discharge prevention drives hardware interlock |
| STK-REQ-006 | SYS-REQ-010 | derives | Dismounted safety drives E-STOP response |
| STK-REQ-005 | SYS-REQ-013 | derives | Tactical SA drives data link rate |
| STK-REQ-004 | SYS-REQ-007 | derives | Engagement authorization drives two-action arm |
| STK-REQ-003 | SYS-REQ-006 | derives | Auto-tracking need drives tracking accuracy |
| STK-REQ-002 | SYS-REQ-005 | derives | Target identification drives LRF spec |
| STK-REQ-002 | SYS-REQ-004 | derives | Sensor resolution need drives IFOV and NETD |
| STK-REQ-001 | SYS-REQ-003 | derives | No-exposure engagement drives traverse coverage |
| STK-REQ-001 | SYS-REQ-002 | derives | Crew protection drives engagement timeline |
| STK-REQ-001 | SYS-REQ-001 | derives | Crew protection drives engagement accuracy |
| Requirement | Verified By | Type | Description |
|---|---|---|---|
| VER-REQ-067 | SUB-REQ-011 | verifies | FCS power input range verification |
| REQ-SEREMOTEWEAPONSTATIONRWS-008 | SUB-REQ-012 | verifies | EOSA 28VDC power boundary test |
| REQ-SEREMOTEWEAPONSTATIONRWS-009 | SUB-REQ-031 | verifies | EOSA TI failure day-channel continuity |
| REQ-SEREMOTEWEAPONSTATIONRWS-011 | SUB-REQ-035 | verifies | VCNIM video compression performance |
| REQ-SEREMOTEWEAPONSTATIONRWS-010 | SUB-REQ-033 | verifies | GHC slew command output rate and latency |
| REQ-SEREMOTEWEAPONSTATIONRWS-013 | SUB-REQ-037 | verifies | EMC filter conducted emissions MIL-STD-461G |
| REQ-SEREMOTEWEAPONSTATIONRWS-012 | SUB-REQ-036 | verifies | CAN/serial gateway frame republishing |
| REQ-SEREMOTEWEAPONSTATIONRWS-015 | SUB-REQ-072 | verifies | TDLP power boundary voltage test |
| REQ-SEREMOTEWEAPONSTATIONRWS-014 | SUB-REQ-041 | verifies | PMCU voltage/current measurement accuracy |
| REQ-SEREMOTEWEAPONSTATIONRWS-016 | SUB-REQ-080 | verifies | TDLP MIL-STD-6016E interoperability |
| REQ-SEREMOTEWEAPONSTATIONRWS-007 | SUB-REQ-078 | verifies | VER-REQ-118 verifies SUB-REQ-078 EOSA TI-to-optical channel failover ≤2s |
| VER-REQ-117 | SUB-REQ-082 | verifies | Full-system degraded mode demonstration verifies 800m engagement capability with single sensor modality |
| VER-REQ-116 | SUB-REQ-076 | verifies | Cryptographic authentication and replay attack test verifies BCM rejects unauthenticated firing table updates |
| VER-REQ-115 | SUB-REQ-047 | verifies | Timed barrel change and jam clearance demonstration verifies WAHA MTTR ≤30 minutes by two-person team |
| VER-REQ-114 | SUB-REQ-075 | verifies | Track dropout injection test verifies FCS disarms and requires operator re-designation on track loss |
| VER-REQ-113 | SUB-REQ-027 | verifies | Servo timing and brake engagement test verifies TDA stops within 200ms of DRIVE-INHIBIT assertion |
| VER-REQ-112 | SUB-REQ-077 | verifies | Overcurrent fault injection test verifies PDU safety-critical branch independence at system level |
| REQ-SEREMOTEWEAPONSTATIONRWS-006 | SUB-REQ-073 | verifies | VER-REQ-102 verifies SUB-REQ-073 FCC fault response |
| REQ-SEREMOTEWEAPONSTATIONRWS-005 | SUB-REQ-016 | verifies | VER-REQ-068 verifies SUB-REQ-016 WCI FIRE command |
| REQ-SEREMOTEWEAPONSTATIONRWS-004 | SUB-REQ-060 | verifies | VER-REQ-055 verifies SUB-REQ-060 TDA environmental testing |
| REQ-SEREMOTEWEAPONSTATIONRWS-003 | SUB-REQ-055 | verifies | VER-REQ-050 verifies SUB-REQ-055 FCS enclosure inspection |
| VER-REQ-104 | SUB-REQ-084 | verifies | Verification of OCU two-actuation HMI workload bound |
| VER-REQ-103 | SUB-REQ-083 | verifies | Verification of FCC controlled restart and SAFE state maintenance |
| REQ-SEREMOTEWEAPONSTATIONRWS-006 | SUB-REQ-073 | verifies | Verification of SUB-REQ-073 fault response behaviour |
| VER-REQ-101 | SUB-REQ-081 | verifies | Verification of automated boresight accuracy and timing |
| VER-REQ-100 | SUB-REQ-079 | verifies | Negative-path test verifies FCS positive ID enforcement and audit logging |
| VER-REQ-099 | SUB-REQ-074 | verifies | Verification of WCI dual-confirmation hardware logic |
| VER-REQ-098 | SUB-REQ-073 | verifies | Verification of FCC fault-to-safe-state transition |
| VER-REQ-097 | SUB-REQ-071 | verifies | Packet injection test verifies TDL authentication |
| VER-REQ-096 | SUB-REQ-070 | verifies | Ballistic bench test verifies BCM output specification |
| VER-REQ-095 | SUB-REQ-069 | verifies | HIL test verifies TTP output specification |
| VER-REQ-094 | SUB-REQ-045 | verifies | Verification of SUB-REQ-045 |
| VER-REQ-090 | SUB-REQ-030 | verifies | Verification of SUB-REQ-030 |
| VER-REQ-091 | SUB-REQ-032 | verifies | End-to-end latency measurement verifies ODU display latency bound |
| VER-REQ-092 | SUB-REQ-038 | verifies | Verification of SUB-REQ-038 |
| VER-REQ-093 | SUB-REQ-040 | verifies | Verification of SUB-REQ-040 |
| VER-REQ-089 | SUB-REQ-029 | verifies | Verification of SUB-REQ-029 |
| VER-REQ-088 | SUB-REQ-025 | verifies | Verification of SUB-REQ-025 |
| VER-REQ-087 | SUB-REQ-026 | verifies | Verification of SUB-REQ-026 |
| VER-REQ-074 | SUB-REQ-065 | verifies | Verification of SUB-REQ-065 degraded mode switchover |
| VER-REQ-073 | SUB-REQ-068 | verifies | Verification of SUB-REQ-068 |
| VER-REQ-072 | SUB-REQ-067 | verifies | Verification of SUB-REQ-067 |
| VER-REQ-071 | SUB-REQ-066 | verifies | Verification of SUB-REQ-066 |
| VER-REQ-070 | SUB-REQ-064 | verifies | Verification of SUB-REQ-064 |
| VER-REQ-069 | SUB-REQ-063 | verifies | Verification of SUB-REQ-063 |
| VER-REQ-001 | SUB-REQ-001 | verifies | FMEDA analysis verifies 1oo2D PFD meets SIL 3 |
| VER-REQ-002 | SUB-REQ-002 | verifies | Combinatorial state test verifies two-action arming and timeout |
| VER-REQ-003 | SUB-REQ-005 | verifies | Temperature-swept timing test verifies 200ms watchdog trigger |
| VER-REQ-004 | SUB-REQ-008 | verifies | Fault injection test verifies 100ms safe state response and latch |
| VER-REQ-007 | SUB-REQ-003 | verifies | Hardware firing interlock relay normally-open state verification |
| VER-REQ-008 | SUB-REQ-004 | verifies | Hardware firing interlock relay de-energise timing test |
| VER-REQ-009 | SUB-REQ-006 | verifies | Safe State Output Driver E-stop actuation test |
| VER-REQ-010 | SUB-REQ-007 | verifies | Arming Key Switch MAINTENANCE-LOCKOUT inspection |
| VER-REQ-011 | SUB-REQ-009 | verifies | Safety Interlock System power supply range test |
| VER-REQ-014 | SUB-REQ-013 | verifies | HIL loop rate test verifies FCC 50Hz pointing loop |
| VER-REQ-015 | SUB-REQ-015 | verifies | BCM step-response test verifies 20ms ballistic computation latency |
| VER-REQ-016 | SUB-REQ-017 | verifies | Hardware injection test verifies FCS safe-state response to SIS |
| VER-REQ-020 | SUB-REQ-022 | verifies | Structural and alignment test for Weapon Cradle and Mount |
| VER-REQ-026 | SUB-REQ-039 | verifies | Verification of SSPC fault isolation time |
| VER-REQ-036 | SUB-REQ-020 | verifies | Hardware watchdog starvation test verifies SAFE assertion within 100ms |
| VER-REQ-037 | SUB-REQ-021 | verifies | Power supply bench test verifies MIL-STD-1275E voltage range compliance |
| VER-REQ-038 | SUB-REQ-042 | verifies | Power range test verifies DCSC MIL-STD-1275E compliance |
| VER-REQ-039 | SUB-REQ-043 | verifies | Relay switching test verifies HFIR coil current and operate/release timing |
| VER-REQ-040 | SUB-REQ-044 | verifies | Elevation range and rate test against TDA elevation drive spec |
| VER-REQ-041 | SUB-REQ-049 | verifies | Motion simulator LOS error test against gyrostabilisation spec |
| VER-REQ-042 | SUB-REQ-048 | verifies | Boresight routine test including misalignment inhibit validation |
| VER-REQ-043 | SUB-REQ-046 | verifies | Reliability demonstration test and FMEA analysis for FCS MTBCF |
| VER-REQ-044 | SUB-REQ-052 | verifies | Watchdog starvation test verifies FCC WCI de-energisation and HMI notification |
| VER-REQ-045 | SUB-REQ-053 | verifies | Comms-loss solenoid timing test verifies WCI fail-safe requirement |
| VER-REQ-046 | SUB-REQ-055 | verifies | Inspection verification of FCS physical embodiment |
| VER-REQ-047 | SUB-REQ-056 | verifies | HIL test verification of link-loss detection timing |
| VER-REQ-048 | SUB-REQ-057 | verifies | Test verification of OCU degraded mode annunciation |
| VER-REQ-049 | SUB-REQ-058 | verifies | Motion simulator HIL test of TDC stabilisation accuracy |
| REQ-SEREMOTEWEAPONSTATIONRWS-003 | SUB-REQ-055 | verifies | Duplicate VER for SUB-REQ-055 physical embodiment |
| VER-REQ-051 | SUB-REQ-059 | verifies | Integration test verifying BCM CRC integrity check and fault flag |
| VER-REQ-052 | SUB-REQ-050 | verifies | Environmental qualification test for FCS LRU per MIL-STD-810H |
| VER-REQ-053 | SUB-REQ-051 | verifies | Endurance test verifying HFIR contact resistance under salt spray and cycling |
| VER-REQ-054 | SUB-REQ-054 | verifies | Fault injection test verifying PDU SSPC per-channel isolation time |
| VER-REQ-056 | SUB-REQ-060 | verifies | Temperature and IP67 test verifies TDA environmental protection requirement |
| VER-REQ-057 | SUB-REQ-061 | verifies | Environmental test verifies SIS temperature range and IP65 sealing |
| VER-REQ-058 | SUB-REQ-062 | verifies | Relay qualification test and contact resistance measurement verifies HW interlock relay spec |
| REQ-SEREMOTEWEAPONSTATIONRWS-004 | SUB-REQ-060 | verifies | Environmental qualification test for TDA mechanical assembly |
| REQ-SEREMOTEWEAPONSTATIONRWS-005 | SUB-REQ-016 | verifies | Trigger latency verification test for Weapon Control Interface |
| VER-REQ-059 | SUB-REQ-014 | verifies | Auto-track accuracy test for Target Tracking Processor |
| VER-REQ-060 | SUB-REQ-018 | verifies | Degraded mode day-camera tracking test |
| VER-REQ-061 | SUB-REQ-019 | verifies | Built-In Test functional verification for FCS |
| VER-REQ-062 | SUB-REQ-023 | verifies | Recoil force attenuation test for Recoil Buffer and Damping System |
| VER-REQ-063 | SUB-REQ-028 | verifies | Azimuth drive 360-degree rotation and position accuracy test |
| VER-REQ-064 | SUB-REQ-034 | verifies | MIL-STD-6016 data link conformance test for TDP |
| VER-REQ-065 | SUB-REQ-010 | verifies | TDA power input range verification |
| VER-REQ-066 | SUB-REQ-024 | verifies | Barrel change time demonstration |
| VER-100 | IFC-REQ-025 | verifies | VER-100 verifies IFC-REQ-025 BMS interface throughput |
| REQ-SEREMOTEWEAPONSTATIONRWS-002 | IFC-REQ-027 | verifies | VER-REQ-028 verifies IFC-REQ-027 GPS NMEA interface |
| VER-REQ-086 | IFC-REQ-029 | verifies | Verification of IFC-REQ-029 |
| VER-REQ-085 | IFC-REQ-026 | verifies | Verification of IFC-REQ-026 |
| VER-REQ-084 | IFC-REQ-014 | verifies | Verification of IFC-REQ-014 |
| VER-REQ-083 | IFC-REQ-012 | verifies | Verification of IFC-REQ-012 |
| VER-REQ-082 | IFC-REQ-008 | verifies | Verification of IFC-REQ-008 |
| VER-REQ-081 | IFC-REQ-007 | verifies | Verification of IFC-REQ-007 |
| VER-REQ-080 | IFC-REQ-006 | verifies | Verification of IFC-REQ-006 |
| VER-REQ-076 | IFC-REQ-002 | verifies | Verification of IFC-REQ-002 |
| VER-REQ-077 | IFC-REQ-003 | verifies | Verification of IFC-REQ-003 |
| VER-REQ-075 | IFC-REQ-001 | verifies | Physical inspection + load test verifies turret ring interface compliance |
| VER-REQ-078 | IFC-REQ-004 | verifies | Verification of IFC-REQ-004 |
| VER-REQ-079 | IFC-REQ-005 | verifies | Verification of IFC-REQ-005 |
| REQ-SEREMOTEWEAPONSTATIONRWS-002 | IFC-REQ-027 | verifies | Integration test verifying CAN-gateway GPS data distribution to FCS |
| REQ-SEREMOTEWEAPONSTATIONRWS-001 | IFC-REQ-025 | verifies | Integration test verifying TDP-BMS MIL-STD-6016 interface |
| VER-REQ-035 | IFC-REQ-024 | verifies | Integrated bench test verifies OCU-FCC command latency under video load |
| VER-REQ-034 | IFC-REQ-022 | verifies | Life endurance test verifies slip ring contact resistance and signal integrity |
| VER-REQ-033 | IFC-REQ-020 | verifies | Physical integration test verifies belt tension at traverse extremes |
| VER-REQ-032 | IFC-REQ-017 | verifies | RS-422 bench test verifies FCC-WCI command latency and CRC |
| VER-REQ-031 | IFC-REQ-016 | verifies | HIL test verifies FCC-BCM data interface latency |
| VER-REQ-030 | IFC-REQ-027 | verifies | Verification of IFC-REQ-027 GPS timing accuracy to FCS |
| VER-REQ-029 | IFC-REQ-025 | verifies | Verification of IFC-REQ-025 BMS radio interface throughput |
| VER-REQ-025 | IFC-REQ-028 | verifies | Verification of SIS always-on supply interface |
| VER-REQ-024 | IFC-REQ-027 | verifies | Verification of CAN gateway GPS distribution to FCS |
| VER-REQ-023 | IFC-REQ-025 | verifies | Verification of TDP-BMS interface |
| VER-REQ-022 | IFC-REQ-023 | verifies | EOSA dual-channel video interface integration test |
| VER-REQ-021 | IFC-REQ-021 | verifies | FCC-TDC interface integration test |
| VER-REQ-019 | IFC-REQ-019 | verifies | Verification of round-count interface |
| VER-REQ-018 | IFC-REQ-018 | verifies | Verification of barrel retention interface |
| VER-REQ-017 | IFC-REQ-015 | verifies | PCIe latency test verifies TTP-FCC interface rate and latency |
| VER-REQ-013 | IFC-REQ-010 | verifies | SIS to TDA drive inhibit hardwired path test |
| VER-REQ-012 | IFC-REQ-009 | verifies | Relay timing and isolation test verifies SIS-WAH firing circuit interrupt |
| VER-REQ-006 | IFC-REQ-013 | verifies | AND-gate and weld test verifies dual-channel firing barrier interface |
| VER-REQ-005 | IFC-REQ-011 | verifies | Interface test verifies key switch voltage levels and continuity monitoring |
| VER-REQ-111 | SYS-REQ-008 | verifies | FCS fault injection test verifies hardware firing interlock is independent of software state - the architectural independence claim for SIL-3 |
| VER-REQ-110 | SYS-REQ-012 | verifies | System-level BIT completion and fault detection test verifies 90s mode gate timing and safety-critical fault coverage |
| VER-REQ-109 | SYS-REQ-002 | verifies | System-level detection-to-fire sequence test verifies 8s timing requirement with two-crew trial |
| VER-REQ-108 | SYS-REQ-017 | verifies | Full MIL-STD-461G test suite verifies system-level EMC compliance and safety under EMI exposure |
| VER-REQ-107 | SYS-REQ-009 | verifies | System-level link-loss end-to-end timing test verifies SYS 500ms safe-state requirement |
| VER-REQ-106 | SYS-REQ-010 | verifies | System-level E-STOP end-to-end timing test verifies SYS requirement for 200ms safe-state transition |
| VER-REQ-105 | SYS-REQ-018 | verifies | VER-REQ-105 verifies SYS-REQ-018 PID range via field trial |
| Ref | Document | Requirement |
|---|---|---|
| VER-REQ-068 | verification-plan | Verify SUB-REQ-016: Inject a FIRE command from FCS simulator to Weapon Control Interface (WCI) using a calibrated signal... |
| VER-REQ-118 | verification-plan | Verify SUB-REQ-078: With RWS powered and thermal imaging channel active, inject a simulated primary optical channel fail... |
| VER-REQ-119 | verification-plan | The Electro-Optical Sensor Assembly SHALL be verified to operate correctly when supplied with 20V, 28V, and 32VDC input.... |
| VER-REQ-120 | verification-plan | While the Thermal Imaging Camera is in FAILED state, the Electro-Optical Sensor Assembly SHALL be verified to continue p... |
| VER-REQ-121 | verification-plan | The Gunner Hand Controller SHALL be verified to transmit azimuth and elevation slew commands at the specified rate. Conn... |
| VER-REQ-122 | verification-plan | The Video Compression and Network Interface Module SHALL be verified to compress and transmit daylight and thermal video... |
| VER-REQ-123 | verification-plan | The CAN Bus and Serial Protocol Gateway SHALL be verified to receive and republish CAN bus and serial data correctly. In... |
| VER-REQ-124 | verification-plan | The EMC Filter and Surge Protection Assembly SHALL be verified to suppress conducted emissions to the levels specified i... |
| VER-REQ-125 | verification-plan | The Power Monitor and Control Unit SHALL be verified to sample voltage and current on each subsystem power rail at the s... |
| VER-REQ-126 | verification-plan | The Tactical Data Link Processor SHALL be verified to operate correctly from the vehicle 28V DC bus across the 18V–32V o... |
| VER-REQ-127 | verification-plan | The Tactical Data Link Processor SHALL be verified to comply with MIL-STD-6016E message format and timing. Connect TDLP ... |