PDF

Ministry of Defence
Defence Standard 59-114

Issue 1 Publication Date 13th January 2012
Safety Principles for Electrical Circuits in

Systems Incorporating Explosive Components
Part 1
Principles, Design Recommendations and
Electrical/Electromagnetic Environments
DEF STAN 59-114 Part 1 Issue 1
Contents
Foreword ..........................................................................................................................................................vi
0 Introduction ........................................................................................................................................vii
1 Scope ....................................................................................................................................................1
2 Warning.................................................................................................................................................1
3 Normative References .........................................................................................................................1
4 Background ..........................................................................................................................................3
5 Principles of Design ............................................................................................................................4
6 Applicability..........................................................................................................................................5
7 Risk and Hazard Analysis ...................................................................................................................6
Annex A Notes for Guidance in the Interpretation of the Principles of Design ........................................7
Annex B The Nature of Problems Associated with EED and Their Firing Circuits.................................14
B.1 Introduction ......................................................................................................................................14
B.2 Inadvertent Application of Power...................................................................................................14
B.3 EMI.....................................................................................................................................................14
B.3.1 General.........................................................................................................................................14
B.3.2 RF Pick-up ...................................................................................................................................16
B.3.3 Induced Transient Energy..........................................................................................................19
B.3.4 Induced Low Frequency Energy................................................................................................20
B.3.5 Induction and Generation of Electrostatic Charge..................................................................20
B.3.6 Hazards to EED from an Electrostatic Charge.........................................................................20
B.3.7 Lightning Strike...........................................................................................................................22
B.3.8 Electromagnetic Pulse (EMP) ....................................................................................................22
B.4 Test Equipment and Test Leads.....................................................................................................22
B.5 Software Errors ................................................................................................................................22
Annex C Design Recommendations for EED and their Firing Circuits....................................................24
C.1 Introduction ......................................................................................................................................24
C.2 An Idealised Firing Circuit ..............................................................................................................24
C.3 Electro-Explosive Devices ..............................................................................................................25
C.4 Power Supplies ................................................................................................................................25
C.5 Firing Circuits...................................................................................................................................26
C.5.1 EED in In-line Systems ...............................................................................................................26
C.5.2 EED in Out-of Line Systems ......................................................................................................27
C.6 Firing and Safety Switches .............................................................................................................28
C.7 Firing Lines.......................................................................................................................................29
C.7.2 Single-Pole Firing Lines .............................................................................................................29
C.7.3 Double-Pole Firing Lines............................................................................................................30
C.7.4 Screening of Firing Lines...........................................................................................................30
ii
C.7.5 Ribbon or Thin Film Cable .........................................................................................................31

C.7.6 Printed Circuit Boards................................................................................................................31
C.7.7 Firing Line Connectors...............................................................................................................32
C.8 RF Filters ..........................................................................................................................................32
C.9 RF Filter Modules.............................................................................................................................33
C.10 Filtered Connectors.........................................................................................................................33
C.11 Optoelectronic Components ..........................................................................................................34
C.12 Electrostatic Discharge...................................................................................................................34
C.13 Electromagnetic and Electrostatic Shielding ...............................................................................35
C.14 Shielding Due to System Structure................................................................................................36
C.15 RF Gaskets .......................................................................................................................................36
C.16 Protection Against EMP ..................................................................................................................37
C.17 Protection Against Lightning .........................................................................................................37
Annex D Design Recommendations for Electronically Controlled EED Firing Circuits ........................39
D.1 Introduction ......................................................................................................................................39
D.2 Design Recommendations..............................................................................................................40
D.2.1 General.........................................................................................................................................40
D.2.2 Firing Circuits With Physical Breaks ........................................................................................40
D.2.3 Firing Circuits Without Physical Breaks ..................................................................................40
D.2.4 Microprocessors .........................................................................................................................42
D.2.5 Application Specific Integrated Circuits and Complex Programmable Logic Device .........42
D.3 Microprocessor Hardware Design Techniques ............................................................................43
D.4 Microprocessor Self-test Software Design Techniques ..............................................................44
D.4.1 General.........................................................................................................................................44
D.4.2 Fault conditions ..........................................................................................................................44
D.4.3 Watch-dog Timers.......................................................................................................................45
D.5 Interfaces ..........................................................................................................................................45
D.6 Remote Control Circuits .................................................................................................................45
D.7 Intrinsic Safety Assessment...........................................................................................................46
Annex E Design Requirements and Analysis of Safety Related Software ..............................................47
E.1 Introduction ......................................................................................................................................47
E.2 Software Development ....................................................................................................................47
E.3 Software Requirement Specification .............................................................................................48
E.4 Verification and Validation (V&V) Team ........................................................................................49
E.5 Fidelity Of Specifications................................................................................................................49
E.6 Choice Of Software Support And Quality Of Software ................................................................49
E.7 Configuration Control .....................................................................................................................49
E.8 Documentation.................................................................................................................................50
E.9 Extent of Analysis............................................................................................................................50
E.10 Verification, Validation and Test (VV&T) .......................................................................................51
Annex F Design Recommendations for Test Equipment ..........................................................................53
F.1 Introduction ......................................................................................................................................53
iii
F.2 Electrical Testing Of Firing Circuits...............................................................................................53

F.3 All-Up Round Electrical Test Equipment.......................................................................................54
F.4 No-volt Testing.................................................................................................................................55
F.5 Radiography .....................................................................................................................................55
F.6 Automatic Test Systems for All-Up-Round Testing and Section Testing..................................56
Annex G Design Recommendations for Transport, Storage and Handling Systems ............................57
G.1 Introduction ......................................................................................................................................57
G.2 Transport And Storage....................................................................................................................57
G.2.1 EED...............................................................................................................................................57
G.2.2 Installed EED and Associated Electronics...............................................................................58
G.2.3 Transport and Storage Containers............................................................................................58
Annex H The Electrical and Electromagnetic Environment Associated With Munitions.......................59
H.1 Introduction ......................................................................................................................................59
H.2 The RF Environment........................................................................................................................59
H.2.1 General.........................................................................................................................................59
H.2.2 Peak Pulse Power Intensity .......................................................................................................61
H.2.3 RF Environment Outside the Control of the UK ......................................................................61
H.2.4 Control of RF Communication Equipment ...............................................................................61
H.3 Electrostatic Environment ..............................................................................................................61
H.4 Lightning...........................................................................................................................................62
H.5 Electromagnetic Pulse ....................................................................................................................64
Annex I Glossary Of Terms And Abbreviations .........................................................................................65
I.1 Glossary of Terms ...........................................................................................................................65
I.2 Abbreviations ...................................................................................................................................69
Figures
Figure A.1 Illustration of Safety Margin for an EED...........................................................................12

Figure A.2 Illustration of Safe Margin for an Electronic Switch .......................................................12
Figure B.1 Powered Semiconductor Prematurely Switched on by EMI ..........................................15
Figure B.2 Switch Self-capacitance ....................................................................................................16
Figure B.3 NATO Letter Designations for RF Bands .........................................................................17
Figure B.4 Firing Line and Representative Equivalent Aerials ........................................................18
Figure B.5 Fortuitous Multi-Element Aerial ........................................................................................18
Figure B.6 Field Penetration of Apertures in a Metal Enclosure......................................................19
Figure B.7 Operator Forming an Aerial...............................................................................................19
Figure B.8 ESD Leakage Path of Single-Pole EED ............................................................................21
Figure B.9 ESD Double-Pole EED........................................................................................................21
Figure B.10 Single-Pole Earth Return Firing System ..........................................................................22
Figure C.1 Simple Idealised Firing Circuit..........................................................................................25
Figure C.2 Simple Firing Circuit ..........................................................................................................26
Figure C.3 Idealised In-line Fuzing System for Warhead Initiation..................................................27
iv
Figure C.4 Typical Non-interrupted Explosive Train Safety and Arming Device ...........................27
Figure C.5 General Firing System .......................................................................................................28
Figure C.6 Single Pole Ground Return System..................................................................................29
Figure C.7 The Hazard to Parallel EED in a Single Pole Ground Return System ...........................30
Figure C.8 Earthing/Grounding Schemes...........................................................................................31
Figure C.9 A Fully Screened Modular Firing System ........................................................................31
Figure C.10 RF Filter Module .................................................................................................................33
Figure C.11 Protection from Charge Accumulation ............................................................................35
Figure C.12 Correct and Incorrect Techniques for the Design of Joints ..........................................38
Figure D.1 Use of Independently Controlled Switch to Provide a Physical Break.........................39
Figure E.1 V Model Lifecycle .............................................................................................................48
Figure H.1 Waveform and Spectrum Comparisons between EMP and Lightning..........................64
Tables
Table H.1 The Minimum Service Radio Frequency Environment..............................................................60

Table H.2 Personnel-Borne Electrostatic Parameters................................................................................62
Table H.3 Helicopter-Borne Electrostatic Parameters................................................................................62
Table H.4 Lightning Strike Parameters (Combined Positive and Negative Flashes) ..............................63
v
Foreword
AMENDMENT RECORD
Amd No Date Text Affected Signature and Date
REVISION NOTE
This standard is introduced at Issue 1.
HISTORICAL RECORD
This standard comprises 3 parts and supersedes the following:
Ordnance Board Pillar Proceedings P101(2) Dated 29 Apr 1997 (covered in parts 1, 2 and 3) and P112(2)
Dated 29 Aug 2000 (covered in Part 2).
a) This standard provides requirements for the design and assessment of electrical circuits incorporating
explosive components.
b) This standard has been produced on behalf of the Defence Material Standardization Committee (DMSC)
by the Defence Ordnance Safety Group (DOSG).
c) This standard has been agreed by the authorities concerned with its use and is intended to be used
whenever relevant in all future designs, contracts, orders etc. and whenever practicable by amendment to
those already in existence. If any difficulty arises which prevents application of the Defence Standard, UK
Defence Standardization (DStan) shall be informed so that a remedy may be sought.
d) Any enquiries regarding this standard in relation to an invitation to tender or a contract in which it is
incorporated are to be addressed to the responsible technical or supervising authority named in the invitation
to tender or contract.
e) Compliance with this Defence Standard shall not in itself relieve any person from any legal obligations
imposed upon them.
f) This standard has been devised solely for the use of the Ministry of Defence (MOD) and its contractors
in the execution of contracts for the MOD. To the extent permitted by law, the MOD hereby excludes all
liability whatsoever and howsoever arising (including, but without limitation, liability resulting from
negligence) for any loss or damage however caused when the standard is used for any other purpose.
vi
0 Introduction
0.1 Pillar Proc 101(2) was published in April 1997 superseding P101(1) and OB Proc 42413. These
documents, sponsored by the Ordnance Boards Electrical/Explosives Hazards Committee (E/EHC), set out
the principles of design, use, assessment and test for electrical circuits incorporating electro-explosive
devices (EED). Pillar Proc P112(2) contained the requirements for characterising Electro-Explosive Devices
to enable their no-fire threshold characteristics to be established in a statistically significant manner.
0.2 To align with MOD policy to eliminate or reduce the number of departmental standards and to provide
up to date requirements and guidance it has been decided to combine the Pillar Proceedings into a single
Defence Standard and as part of that process to include any additional requirements previously covered by
Def Stans 21-3 [21] (ex NES 1003) and 08-124 [22] (ex Def Stan 21-6 and NES 1006) which will be
cancelled on publication of this standard. The publication of this standard along with the update to chapter 24
of JSP 482 [28] (already completed) will also enable JSP 412 to be cancelled
0.3 With the increase in use of more complex and sensitive electronic and microprocessor components in
munitions and as more knowledge has been gained of the test and assessment requirements related to high
voltage Electro-Explosive Devices a review of the above documents identified a number of detailed
amendments that were required either as a result of a greater understanding of the issues, or the publication
of new Defence and NATO Standards. The use of high power and more low power portable radiation
sources, both military and civil has also grown, so increasing the electromagnetic environment and the
probability of an inadvertent initiation of a weapon system from such a source.
0.4 A new Defence Standard has therefore been produced to replace all the above standards without
changing the fundamental design or assessment requirements of the original Ordnance Board Pillar
Proceedings.
0.5 The Defence Standard has been divided into three Parts:
Part 1: Principles, Design Recommendations and Electrical/Electromagnetic Environments.
Part 2: Electro-Explosive Devices and their Characterization.
Part 3: Assessment, Safety Margins and Trials.
vii
This page is intentionally blank
Safety Principles for Electrical Circuits in Systems

Incorporating Explosive Components
Part 1 - Principles, Design Recommendations and

Electrical/Electromagnetic Environments
1 Scope
1.1 This Defence Standard sets out the principles that are required for the design, assessment, testing
and use of electrical circuits and software in systems which incorporate or control explosive components.
The methods and techniques the Ministry of Defence (MoD) will use when assessing the safety of such
circuits and software are also given together with recommendations on safety margins and trials factors. The
standard also identifies the electrical and electromagnetic environments and the nature of the problems
involved in the design and operation of systems with Electro-Explosive Device (EED).
2 Warning
The Ministry of Defence (MOD), like its contractors, is subject to both United Kingdom and European laws
regarding Health and Safety at Work. All Defence Standards either directly or indirectly invoke the use of
processes and procedures that could be injurious to health if adequate precautions are not taken. Defence
Standards or their use in no way absolves users from complying with statutory and legal requirements
relating to Health and Safety at Work.
3 Normative References
3.1 The publications shown below are referred to in the text of this standard. Publications are grouped and
listed in alpha-numeric order.
[1] Ammunition and Explosives Regulations (Land Service), Volumes I and II

[2] Methods of Determining the Electrostatic Potential and Charging Current of a
Hovering Helicopter. G A Odam Williamsburg Lightning Conference September 1995
[3] AECTP 250 Leaflet 253 Electrostatic Charging, Discharge and Precipitation Static (P Static)
[4] AECTP 250 Leaflet 254 Atmospheric Electricity and Lightning
[5] AECTP 250 Leaflet 256 Nuclear Electro-Magnetic Pulse (NEMP/EMP)
[6] AECTP 250 Leaflet 258 RF Electromagnetic Environments (EME)
[7] AECTP 500 Leaflet 508/2 Electrostatic Discharge, Munitions Test Procedures
[8] AECTP 500 Leaflet 508/4 Lightning, Munition Assessment and Test Procedures
[9] AEP-4 Nuclear Survivability Criteria for Armed Forces Material and Installations
[10] AOP-52 Guidance on Software Safety Design and Assessment of Munition-Related Computing
Systems
[11] BR 2924 Handbook of Radio Hazards in Naval Service
1
[12] BS EN ISO/IEC Software engineering. Guidelines for the Application of ISO 9001:2000 to Computer
90003:2004 Software
[13] DAP110A-0102-1D Explosives Regulations Radio Frequency Hazards to Electro-explosive Devices
[14] Def Stan 00-35 Environmental Handbook for Defence Materiel
[15] Def Stan 00-56 Safety Management Requirements for Defence Systems
[16] Def Stan 00-88 Packaging of Ammunition and Explosives
[17] Def Stan 00-970 Design and Airworthiness Requirements For service Aircraft - Part 13
Clauses 3.1 to 3.4
[18] Def Stan 05-57 Configuration Management of Defence Materiel
[19] Def Stan 07-85 Design Requirements for Weapons and Associated Systems
[20] Def Stan 08-4 Nuclear Weapon Explosion Effects and Hardening, Parts 0 to 4
[21] Def Stan 21-3 The Requirement for Assessing Transient Coupled Energy Into Stores Containing
Electro-Explosive Devices.
[22] Def Stan 08-124 Radio Frequency Environment and Acceptance Criteria for Naval Stores Containing
Electro-Explosive Devices (Cat 1)
[23] Def Stan 59-411 Electromagnetic Compatibility
Part 2 The Electric, Magnetic and Electromagnetic Environment
[24] DOSG Divisional Note Rationale for Environment Descriptions in Defence Standard 59-411 Part 2
143/2009 Issue 1 Amendment 1 dated 31 January 2009.
[25] JSP 188 Specification for Technical Publications for the Services: Documentation of Software
in Military Operational Systems
[26] JSP 375 MOD Health and Safety Handbook
[27] JSP 392 Instructions for Radiation Protection
[28] JSP 482 MOD Explosive Regulations
Chap 8 Safety Standards for Electrical Installations and Equipment in Explosives Facilities
Chap 24 Radio Frequency Hazards to Electro-Explosive Devices
[29] JSP 520 Ordnance Munitions and Explosive Safety Management System
[30] STANAG 4187 Fuzing Systems Safety Design Requirements
[31] STANAG 4368 Electric and Laser Ignition Systems for Rockets and Guided Missile Motors Safety
Design Requirements
[32] Thales ME Ltd. Report Measurement of the Power Rating of Pi-section Radio Hazard Filters, Dated May
DMP 11928. Issue 2 2005
[33] Thales ME Report Mains Transient Coupling Investigation Test Report October 2008
RHD 2033
3.2 Reference in this Standard to any normative references means in any Invitation to Tender or contract
the edition and all amendments current at the date of such tender or contract unless a specific edition is
indicated.
3.3 In consideration of clause 3.2 above, users shall be fully aware of the issue and amendment status of
all normative references, particularly when forming part of an Invitation to Tender or contract. Responsibility
for the correct application of standards rests with users.
3.4 DStan can advise regarding where normative references documents are obtained from. Requests for
such information can be made to the DStan Helpdesk. How to contact the helpdesk is shown on the outside
rear cover of Def Stans.
2
4 Background
4.1 EED are used in military systems to perform a variety of roles, including to:
a) Detonate warheads and demolition charges.
b) Ignite rocket motors.
c) Ignite propellants for tube-launched projectiles.
d) Ignite gas generators for:
i. Removal of panels from projectiles.
ii. Inflation of flotation bags.
iii. Functioning protractors.
iv. Release of battery electrolyte into cells.
v. Removal of detents.
e) Initiate thermal batteries.
f) Initiate cutting action.
g) Initiate flares and pyrotechnics.
h) Initiate explosive bolts.
4.2 A basic disadvantage of many EED types is that they function as a direct result of heating some part
of the initiating material by an input of electrical energy which can, for many devices, be of any frequency.
Hence, in addition to the need to prevent inadvertent initiation by the intended source of firing power or
associated test equipment, it is necessary to provide protection against conducted and radiated
electromagnetic interference (EMI) which may be induced by the electromagnetic (EM) environment. EMI
could initiate an EED directly or indirectly by causing the firing circuit switches to operate prematurely.
4.3 The environment to which a weapon system/firing circuit may be subjected will depend on the
manufacture to target or disposal sequence (MTDS). The User Requirement should specify the operational
scenarios and conditions in which the system shall remain either safe, or safe and suitable for service (S3),
or must function for safety. The MTDS will include mechanical and climatic environments as well as electrical
and electromagnetic. The former environments are not covered by this standard and reference should be
made to Def Stan 07-85 [19] and Def Stan 00-35 [14]. From this information it is possible to derive the EM
environment levels which will apply to the system. For the purpose of this Defence Standard the following
terminology applies:
4.3.1 The expression electrical circuits incorporating EED extends to the use of discrete electronics,
microelectronic devices, microprocessors and associated software, directly concerned with the control and
initiation of EED firing circuits of the complete weapon system.
4.3.2 The expression the EM environment includes the environment produced by any of the following
phenomena, singly or in combination:
a) Electromagnetic radiation (EMR).

b) Electrostatic discharge (ESD).
c) Electromagnetic pulse (EMP).
d) Lightning.
e) Electrical transients.
f) Low frequency and static magnetic fields.
3
4.3.3 The expression EMI includes interference caused by any or all of the phenomena in
sub-clause 4.3.2 above.
4.3.4 The expression Electromagnetic Compatibility (EMC) refers to the ability of the system to remain
safe, and when required, serviceable, in a specified EM environment which may include any or all of the
phenomena in sub-clause 4.3.2 above.
4.3.5 In addition to standard EMC considerations the risk from Electromagnetic Radiation includes Radio
Hazards (RADHAZ) - a term which is used to cover hazards to ordnance, personnel and fuel. Ordnance
RADHAZ relates to the inadvertent initiation of EED resulting from exposure to radio frequency radiation, in
both a Passive configuration, when power is not applied to the circuit, and Active when the electrical circuit
controlling the firing signal is powered. Since in many countries this effect has been termed HERO (Hazards
of Electromagnetic Radiation to Ordnance) and this term has been adopted in many NATO standards it is
sometimes used in this document when the meaning is clearer.
4.4 It is recognised that during research and development activities some aspects of this standard and the
environments given will not be relevant. In such situations the developer will need to make risk assessments
and ensure all risks are reduced to As Low As Reasonably Practicable (ALARP) and are tolerable.
5 Principles of Design
5.1 Defence Standard 00-56 [15] sets the requirements for the management of safety for all defence
systems. Demonstration of safety is achieved the provision of evidence that the system meets all legislation
and MOD policy and is safe for its intended purpose through its life. In addition all systems containing
explosives are required to have a safety case which is to be independently assessed as defined in
JSP 520 [29].
5.2 The principles of design related to the protection of an EED from inadvertent initiation are set out in
sub-clauses 5.2.1 to 5.2.12. The principles are considered mandatory and use the term shall. The
remainder of the standard is essentially guidance on how the principles may be met and so the requirements
generally use the term should. There are, however, some aspects that are essential requirements from
related documents and so shall is used in such cases.
5.2.1 Firing circuits for EED in non-nuclear munitions shall be so designed that, when the operation or
arming of an EED is unacceptable, no single fault or failure of any nature (including common mode faults)
can result in an unsafe condition or initiation of that EED. For nuclear munitions additional safety precautions
are required.
5.2.2 Specific design requirements for nuclear weapons related to the number of safety breaks required
are not covered by this standard and reference should be made to the relevant safety authority for this
aspect of the design. The general principles and guidance within this standard are, however, applicable to
nuclear weapons.
5.2.3 The probability of inadvertent initiation of an EED shall be such that the overall safety and reliability
requirements of the system are able to be met or exceeded and the residual risk is tolerable and ALARP.
5.2.4 EED used shall have as high a No-Fire Threshold (NFT) as possible whilst meeting the system
requirements and shall have well characterized NFT parameters (derived as described in Part 2 of this
standard) for both normal and abnormal firing modes as appropriate. Use of an EED with a NFT of less than
1 watt shall be specifically justified in the system safety case.
5.2.5 Firing circuit switches and safety breaks shall not be susceptible to common-cause failures and,
irrespective of the operating stimulus required, shall not be capable of functioning, at any stage in the service
life, except when subjected to the design stimuli. They shall be capable of being returned to the safe
position, if required, following intentional operation.
5.2.6 Where the correct functioning of an EED is required for safety as opposed to operational
performance (e.g. in a command break-up unit, Ejector Seat, or cable cutter), careful attention shall be given
to the reliability of the complete firing circuit ensuring that the correct firing pulse level is always generated
thus maintaining the safety.
4
5.2.7 Single faults or common cause failures shall not lead to the inadvertent generation of stimuli required
to operate safety breaks and firing switches in the specified service environment.
5.2.8 Directly applied currents intended for firing low voltage EED shall be chosen such that it is possible
to eliminate signals of other frequencies from the firing circuit. Ideally, firing currents for low voltage EED
shall be dc, or ac below a frequency of 10 kHz.
5.2.9 When an EED, in isolation or incorporated in a firing circuit, is exposed to the specified EM
environment, it shall not be possible to induce into it a level of EM energy which would encroach upon a
defined safe margin below the established No-fire Threshold (NFT) level of the EED. For HV devices this
assessment will normally use the Malfunction Threshold (MFT) of the device derived as explained in Part 2
of this standard. For an in-line warhead or rocket motor HV initiator the voltage on the firing capacitor shall
also be shown to be a defined margin below the no-fire voltage.
5.2.10 When an EED firing circuit incorporating electronic switches is exposed to the specified EM
environment, it shall not be possible to induce a level of EM energy into the circuit which would encroach
upon a defined safe margin below the established switching threshold of the electronic switches.
5.2.11 Any software contributing to a safety related function in a firing circuit or weapon control system
shall comply with the relevant principles set out above. Such software shall be rigorously specified, designed,
documented, verified and validated as detailed in Annex E. Independent certification of its safety integrity
should be sought and documented. These same principles and practices shall be applied to complex
electronic devices and the design/configuration processes which use a Hardware Description Language
(HDL) or other software based process.
5.2.12 Test equipment (including Built in Test (BIT)) shall be so designed that:
a) No single fault or failure of any nature (in the munition or test equipment) can result in the initiation of an
EED or an unsafe situation. Connection or use of the test equipment shall not unacceptably degrade the
safety of the system under test.
b) For alongside testing of non-nuclear AURs the system shall be 2 fault safe.
c) Connection to the system under test will not unacceptably degrade the EMC, or introduce unacceptable
transients into the system within the specified EM environment.
d) Safety under test conditions shall not be solely dependent on procedures. For alongside AUR testing the
system shall be safe in the event of test personnel making 2 errors which are independent in nature.
5.3 Guidance on the interpretation and applicability of the principles of design is given in Annex A.
Detailed information concerning the design, safety assessment, testing and use of EED and their firing
circuits in the full range of EM environments is at Annex B to Annex H, and in Parts 2 and 3 of this standard.
A full glossary is given at Annex I.
5.4 Aircraft armament systems are required to meet the requirements of Def Stan 00-970 [17].
Weapons/stores to be installed in aircraft are to meet the relevant requirements of that standard and the
interface definition derived for the aircraft/store combination.
6 Applicability
6.1 The principles of design (set out in Clause 5 above) and design recommendations are intended to
apply to all applications of EED in nuclear and non-nuclear munitions, stores and electrical firing circuits
(including those used on Remote Control Vehicles (RCV) and ranges) when inadvertent functioning of the
EED is unacceptable. Such applications range from simple, manually controlled firing circuits to complete
fuzing systems incorporating safety and arming functions and to the launching and release of weapons
including those which may respond automatically to target acquisition data. The principles of design should
also be observed where explosives are initiated by other means which are electrically/electronically
controlled, i.e. electrically operated percussion or laser systems.
6.2 By observance of the principles of design, careful design and choice of components, inadvertent
initiation of an EED from any cause should be very unlikely. Observance should ensure the RADHAZ/EMC of
5
an EED and its firing circuit, in its specified electrical/EM environment, throughout all phases of the service
life. This would obviate the need to impose operational restrictions on the movement of an EED, on the use
of transmitters in its vicinity, or on the installation in which it is incorporated. In is accepted, however, that
restrictions may be necessary in some situations such as when an EED is necessarily being handled.
7 Risk and Hazard Analysis

7.1 Defence Standard 00-56 [15] sets the requirements for the acquisition and management of safety for all
defence systems. These requirements are mandatory for weapon systems in common with all other systems.
Demonstration of safety is achieved through the provision of evidence that the system meets all legislation
and MOD policy, is safe for its intended purpose throughout its life and that the system safety is ALARP and
tolerable.
7.2 The consequences and probabilities of failures in circuits associated with EED should be analysed as
part of the overall system risk/hazard analysis carried out as required by Def Stan 00-56 [15]. The designer
should introduce all necessary safety features so that the final design meets the system safety requirement.
The principles published here do not present a design solution and may need enhancing in some situations.
They are not intended to restrict the designer in the methods and techniques used to meet a particular
requirement. A designer may propose suitable means of ensuring safety although evidence that the safety
requirements will be met will be required.
6
Annex A
Notes for Guidance in the Interpretation of the Principles of Design
Ser Principles of Design Notes for Guidance Relevant

No. Annex/
Appendix
1 Sub-clause 5.2.1 a) It is not sensible to rely upon a single switch to Annex C
Firing circuits for EED in non- control a firing circuit; a single fault could cause the
nuclear munitions shall be so switch to fail in a short-circuit condition which would
designed that when the operation result in initiation of the EED.
or arming of an EED is b) The use of 2 switches, connected in series,
unacceptable, no single fault or between an EED and a source of firing power can
failure of any nature (including overcome this potential hazard with the proviso that the
common mode faults) can result in 2 switches shall be of different design to avoid the
initiation or initiation of that EED. possibility of common-cause failures.
For nuclear munitions additional
safety precautions are required. c) Firing circuits controlled solely by semiconductor
switches require particular care and attention to ensure
their safety. Where practical at least one other type of
independent break (between an EED and a source of
firing power) should be included. The inclusion of a
physical break has 2 advantages over a semiconductor
switch:
i. The low self-capacitance of a physical
break, compared with that of a semiconductor
switch provides greater impedance to the passage
of any induced RF energy.
ii. It provides increased confidence in the ability
of a firing circuit safely to withhold firing power from
an EED in circumstances where there may be a
degree of uncertainty with respect to the reliability
of semiconductor switches caused by, for example,
an extended period of dormancy prior to operational
use, extremes of temperature or high EM
environment levels.
d) Where two semiconductor breaks are essential it
will be necessary to show by test that RF pick-up is
below the NFT of the EED (by an agreed safety margin)
and below the switching threshold of the switches (the
latter at EM levels relevant when electronics are live). It
will also be necessary to show that the transient state
during power application does not pass significant
energy to the EED and that the reliability of the
semiconductor switches is adequate. Semiconductor
switches of different design are highly recommended if
this is to be achieved.
e) Firing circuits, whether electronic or electro-
mechanical, shall be simple and incorporate as few
components as possible consistent with achieving safety
and operational requirements.
7

No. Annex/
Appendix
1 f) Electronic circuits intended to control the arming Annex D
Cont of a warhead fuzing system or rocket motor initiation
system (e.g. the charging of an EED firing capacitor)
shall incorporate at least one safety feature which will
prevent arming even in an open or short circuit failure
condition. This feature shall prevent unintentional
arming should the electronic safety features, either
singly or in any combination, fail to an open or short-
circuit condition. If this feature is a dynamic switch,
the driving signal shall be unique to that application in
any one munition or weapon system.
g) To ensure that other elements of a firing circuit (e.g.
wiring, connectors, track layout, passive and active
components, etc.) cannot create a hazard because of a
single failure, it will be necessary to conduct
comprehensive Fault Tree Analyses backed up where
necessary with Failure Mode and Effects (or Effects and
Criticality) Analyses. These analyses shall form part of
an overall system hazard analysis and shall include
consideration of short and open circuits in wiring,
connectors etc.
2 Sub-clause 5.2.2 The additional requirements for safety breaks in nuclear
Specific design requirements for weapons stem from the greater hazard associated with
nuclear weapons related to the them. Specific requirements are therefore defined to
number of safety breaks required ensure the risk of realising this hazard extremely small.
are not covered by this standard The hazard is not necessarily only from the risk of a
and reference should be made to nuclear initiation but also from some other risks
the relevant safety authority for this associated with unacceptable system failure (e.g.
aspect of the design. The general unintentional launch or misfire). It can generally be
principles and guidance within this satisfied by the use of 3 independent switches or other
standard are, however, applicable safety devices not susceptible to common mode failures,
to nuclear weapons. connected in series, supported by a FTA, and an
FMEA/FMECA. (See also further Notes of Guidance for
Ser No. 1 above.)
3 Sub-clause 5.2.3 As well as meeting the requirements of serials1/2 above
The probability of inadvertent the probability of initiation of an EED shall be sufficiently
initiation of an EED shall be such low as to ensure the overall system safety and reliability
that the overall safety and reliability requirements are not compromised. The probability of
requirements of the system are inadvertent initiation shall be assessed as part of the
able to be met or exceeded and the FTA discussed above.
residual risk is tolerable and
ALARP
4 Sub-clause 5.2.4 a) An ideal EED, from the point of view of preventing Annex C
EED used shall have as high a no- inadvertent initiation because of EMI, would have a
fire threshold (NFT) as possible sufficiently high NFT level such that no filtering,
whilst meeting the system shielding, or restrictions in operational use, are
requirements and shall have well necessary. EED with an NFT > 1W are now widely
characterized NFT parameters available and where power limitations are not an
(derived as described in Part 2 of issue and other performance criteria can be met
this standard) for both normal and they provide increased levels of immunity to RF
abnormal firing modes as pick-up.
appropriate. Use of an EED with a b) The use of an EED with a well-characterized NFT
NFT of less than 1 watt shall be level is essential in order that levels of energy or
specifically justified in the system power, which can be safely tolerated by an EED,
safety case. may be stated with confidence. (Annex C,
Clause C.3.) Characterization shall normally be
done in accordance with Part 2 of this standard.
c) Use of low voltage (LV) EED with a very short time
constant (e.g. within the duration of a single radar
pulse) shall be restricted to those applications in
which such a short time constant is essential.
8

No. Annex/
Appendix
5 Sub-clause 5.2.5 a) To avoid the possibility of common-cause failures, Annex C
Firing circuit switches and safety firing and safety switches shall be independently
breaks shall not be susceptible to controlled, of different design and preferably
common cause failures and, obtained from different manufacturers.
irrespective of the operating b) The argument for 2 or more firing switches is as
stimulus required, shall not be follows. Consider a requirement to provide
capable of functioning, at any stage evidence that the probability of a switch failure
in the service life, except when which could lead to an inadvertent initiation is less
subjected to the design stimulus. than P, where P is very small. It may be quite
They shall be capable of being impractical to test sufficient switches of any one
returned to the safe position, if design in order to provide statistically meaningful
required, following intentional evidence that the particular design is sufficiently
operation. reliable. However, it may be quite feasible to
provide evidence that 2 independent switches of
different design each has a probability of short-
circuit failure of less than P1/2, so that when
connected in series the combined probability of
failing is less than P.
c) A weapon system is required to remain safe and
serviceable when subjected to relatively harsh
mechanical and climatic environments, as well as
the EM environment. It is necessary to ensure,
therefore, that safety switches designed to respond
to, for example, pressure, do not function when
exposed to other elements of the specified service
environment such as shock and vibration.
d) Firing and safety switches associated with initiation
of the release or launch of weapons shall, after their
operation, be capable of being returned to the safe
position in the event of a misfire or cancellation of
firing.
e) Firing and safety switches shall be designed to
remain safe, and when specified, safe and
serviceable, when subjected to the effects of
credible accidents to which the weapon system
may be exposed.
f) Where procedural safeguards are included in the
safety process, they shall be unambiguously
defined, specified and controlled throughout their
service life. Safety should never rely solely upon
defined operating drills or procedures.
6 Sub-clause 5.2.6 Some applications of EED require them to perform
Where the correct functioning of an reliably for a safety function to be achieved. A break-up
EED is required for safety as circuit is a prime example. Also in some cases the non-
opposed to operational or partial functioning of an EED could lead to a
performance (e.g. in a command potentially dangerous situation in which a weapon needs
break-up unit, Ejector Seat, or to be unloaded or disposed of when it is in an uncertain
cable cutter), careful attention shall condition. The fundamental reliability of the firing circuit
be given to the reliability of the therefore needs to be shown to meet the relevant safety
complete firing circuit ensuring that targets. The choice of firing voltage or energy needs to
the correct firing pulse level is be made with full knowledge of the characteristics of the
always generated thus maintaining EED to ensure that sufficient but not too much power is
the safety. provided.
9

No. Annex/
Appendix
7 Sub-clause 5.2.7 a) An example of the inadvertent generation of a Annex C
Single faults or common cause stimulus is the effect of an accidental drop. The
failures shall not lead to the acceleration forces produced may well cause an
inadvertent generation of stimuli acceleration sensor to function if not guarded
required to operate safety breaks against by choice of component operating
and firing switches in the specified characteristics in relation to the specified
service environment. environment.
b) The spurious generation of electrical stimuli
capable of switching associated electronics shall
not be possible when the weapon system is
exposed to the specified EM environment.
c) Where a switch that provides a physical break in a
firing circuit is controlled by electronically derived
trigger signals, generation of the trigger signals
shall not be possible until a firing sequence is
initiated.
8 Sub-clause 5.2.8 When a firing circuit cannot be completely screened from Annex C &
Directly applied currents intended externally generated EMI, it will be necessary to fit low- Annex D
for firing EED shall be chosen such pass filters in the firing lines to prevent high frequency
that it is possible to eliminate currents reaching an EED or associated electronics. The
signals of other frequencies from frequency of a firing supply must therefore be within the
the firing circuit. Ideally firing pass-band of the filters. For certain circuits which use
currents shall be dc, or ac below a transformer coupled firing signals it may be necessary to
frequency of 10 kHz. use higher frequency signals. These need to be
considered on the basis of the ability of the circuit to
reject external interference without additional filtering.
9 Sub-clause 5.2.9 Figure A.1 illustrates the principle of safety margins. Annex C
When an EED in isolation, or Recommendations for safety margins to be used for Part 3
incorporated in a firing circuit, is various circumstances are recommended in Part 3 Annex A
exposed to the specified EM Annex A.
environment, it shall not be possible
to induce a level of EMI into the
circuit which would encroach upon HV EEED used for in-line initiation/detonation systems
a defined safe margin below the require a fast rise time high energy pulse to function.
established No-fire Threshold Power absorbed from the EM environment is therefore
(NFT) level of the EED. For HV considered to be very unlikely. Fir this reason RADHAZ
devices this assessment will assessments on EFI and EBW are done using the
normally use the Malfunction malfunction threshold of the device.
Threshold (MFT) of the device
derived as explained in Part 2 of
this standard. For an in-line
warhead or rocket motor HV
initiator the voltage on the firing
capacitor shall also be shown to be
a defined margin below the no-fire
voltage
10 Sub-clause 5.2.10 The diagram at Figure A.2 illustrates this principle. Annex C &
When an EED firing circuit, Safety margins to be applied to the switching threshold Annex D
incorporating electronic switches, is of electronic switches are recommended in Part 3 Annex Part 3
exposed to the specified EM B. It may not always be feasible to monitor the voltage Annex B
environment, it shall not be possible on the relevant gate of an electronic firing switch as
to induce a level of EMI into the implied by Figure A.2. In such cases the test level to be
circuit which would encroach upon applied shall be increased to allow a safety margin to be
a defined safe margin below the demonstrated.
established switching threshold of
the electronic switches.
10

No. Annex/
Appendix
11 Sub-clause 5.2.11 a) The production of high integrity software shall be Annex E
Any software contributing to a conducted in accordance with Annex E and
safety related function in a firing requires:
circuit or weapon control system i. The use of clearly defined specifications for
shall comply with the relevant requirements, system design, procedures and
principles set out above. Such software. Specifications should be capable of being
software shall be rigorously translated into mathematical form.
specified, designed, documented,
verified and validated as detailed in ii. The use of an appropriate language or sub-set of a
Annex E. Independent certification language.
of its safety integrity should be iii. The enforcement of disciplined codes of
sought and documented. These programming practice and documentation.
same principles and practices shall
iv. Means of static analysis of software.
be applied to complex electronic
devices and the design/ v. Dynamic system testing; specific areas to be tested
configuration processes that use a may well be indicated by the results of the static
Hardware Description Language analysis.
(HDL) or other software based vi. Methods of comparing the results from static
process. analysis and dynamic testing with the specifications.
b) Uniquely coded outputs shall be required before
safety critical functions are initiated. Such codes
shall have minimum correlation with any other
codes employed in the system.
12 Sub-clause 5.2.12 Principles at Ser Nos. 1 to 8 inclusive are intended to Annex F
Test equipment shall be designed ensure protection of EED and their firing circuits,
that: including electronics, from the consequence of failure
a) No single fault or failure of any modes that might occur in a firing system, and from the
nature (in the munition or test effects of EMI. It is equally important to ensure that the
equipment) can result in the use of test equipment does not negate or degrade the
initiation of an EED or an unsafe precautions taken or introduce further hazards.
situation. Connection or use of the
test equipment shall not
unacceptably degrade the safety of
the system under test.
b) For alongside testing of non-
nuclear AURs the system shall be 2
fault safe.
c) Connection to the system under

test will not unacceptably degrade
the EMC, or introduce
unacceptable transients into the
system within the specified EM
environment.
d) Safety under test conditions shall
not be solely dependent on
procedures. For alongside AUR
testing the system shall be safe in
the event of test personnel making
2 errors which are independent in
nature.
11
Figure A.1 Illustration of Safety Margin for an EED
Figure A.2 Illustration of Safe Margin for an Electronic Switch
12
Annex B
The Nature of Problems Associated with EED and Their Firing Circuits
B.1 Introduction
EED are intended to function following application of an electrical stimulus and therefore they must be
protected against:
a) Inadvertent application of power.
b) Electromagnetic interference (EMI).
c) Initiation caused by software errors.
B.2 Inadvertent Application of Power
B.2.1 Inadvertent application of power may arise as a consequence of:
a) Application of intended firing power through.
i. Failure of safety breaks and firing switches, electronic or electromechanical.
ii. Failure of electronics controlling safety breaks and firing switches.
iii. Failure of wiring or connectors.
iv. Inadvertent operation of switches by an operator.
v. Malfunction of a sensor that allows premature application of power.
b) Failure in the electrical wiring, particularly in connectors, which allow an EED to be connected to a
source of power used in a weapon system.
c) The use of test equipment which is not safe under single-fault conditions, or which can degrade the
integrity of safety breaks.
d) The application of unintended power sources having connectors able to mate with those used in a firing
circuit and which might initiate an EED or degrade the integrity of safety breaks and firing switches.
e) Errors in the implementation of electronic logic systems, particularly those that are software controlled.
The increasing complexity of microelectronic technology has made it extremely difficult, if not
impossible, to construct fault models and hence determine the consequences of single faults or failures.
B.2.2 Careful attention to the choice of components and operating procedures and to the engineering of a
firing circuit in conjunction with a detailed risk assessment can significantly reduce the probability of the
inadvertent application of power.
B.3 EMI
B.3.1 General
B.3.1.1 EMI might cause initiation of an EED directly because of internal power dissipation or indirectly by
causing premature operation of safety breaks, firing switches or associated microelectronic devices. Current
and projected trends in the development of digital microelectronic technology are leading to smaller noise
margins, lower switching-threshold voltages and lower energy activation levels with the result that such
technology is becoming more susceptible to EMI.
14
B.3.1.2 EMI may arise as a consequence of:
a) Pick-up of RF energy from transmitters either directly associated with, or external to, the installation.
b) Transient energy, e.g. when electrical circuits within, or external to, the installation are energised or de-
energised.
c) Coupling between firing lines and low-frequency power supply lines or other slow time varying high
power circuits (e.g. degaussing and deperming).
d) Generation or induction of electrostatic energy on firing lines, or the inadvertent connection of a charged
body to firing lines.
e) Lightning strike on, or in the vicinity of, the installation.
f) Pick-up of the Electromagnetic Pulse (EMP) energy from nuclear weapon events.
g) The use of test equipment and test leads which degrade the compatibility of the installation with its EM
environment.
B.3.1.3 A semiconductor switch which is powered, but held in the off' condition by a bias voltage may be
extremely susceptible to being switched to the on condition by EMI because switching threshold and noise
margins may be very low (Figure B.1). Consequently, an EED controlled by powered semiconductor
switches may be subjected to a greater risk of premature initiation than an EED controlled by mechanical or
electromechanical switches.
Figure B.1 Powered Semiconductor Prematurely Switched on by EMI
B.3.1.4 If EMI can deposit sufficient energy in the junction area of a semiconductor switch, a permanent
short-circuit may develop with the consequent risk of premature application of firing power.
B.3.1.5 The relatively high self-capacitance of a semiconductor switch in its off condition means that it
provides a lower impedance path for RF pick-up energy than a mechanical or electromechanical switch
(Figure B.2). There is therefore a greater risk of inadvertent initiation, particularly at higher frequencies, if an
EED is controlled by a semiconductor switch than if a physical break is employed even when the system is
not powered.
15
Figure B.2 Switch Self-capacitance
B.3.1.6 The levels of EMI to which a firing circuit might be subjected can be significantly reduced by
careful system and circuit design intended to minimise:
a) The degree of coupling to potential sources of EMI - by increased separation.
b) Conducted EMI - by provision of suitable filters.
c) Radiated EMI - by provision of suitable EMI shielding/screening.
B.3.2 RF Pick-up
B.3.2.1 Radio and radar transmitters throughout the world operate over a wide frequency spectrum as
shown in Figure B.3. Full details of the RF environment in which service equipments may have to operate
are given in Annex H. Any lengths of wire forming all or part of the firing lines to an EED, when placed in a
RF field, will act as an aerial and pick up some electrical energy from the field (Figure B.4). The level of pick-
up will depend upon the physical and electrical parameters of the pick-up wire relative to the wavelength ()
of transmission and the polarisation and power density of the RF field at the position of pick-up.
16
Figure B.3 NATO Letter Designations for RF Bands
17
Figure B.4 Firing Line and Representative Equivalent Aerials
B.3.2.2 As the frequency varies, maximum pick-up for a given length of wire will occur when the
components of the firing circuit produce a matched condition. Other configurations of wires (Figure B.5)
could theoretically enhance the pick-up on the firing leads for an EM wave arriving from a particular direction
but these can only be checked/detected by trial measurements.
Figure B.5 Fortuitous Multi-Element Aerial
B.3.2.3 The amount of energy fed to a connected EED will depend mainly on the ratio of the source to load
impedance of the firing lines and EED. However, sufficient energy to fire most EED can be picked up in
substantially lower RF field strengths than the levels in which service equipments are required to operate.
More detailed information on impedances and pick-up characteristics is given in Annex B of Part 3.
B.3.2.4 Any electrically conductive component of the mechanical structure of a system will resonate in a RF
field at some frequency and the resultant circulating current may induce RF energy into EED firing circuits in
its vicinity. Moreover, RF fields can penetrate inside the structure if discontinuities exist in the skin
(Figure B.6) and some features of the weapon system structure can influence the RF pick-up characteristics
of the EED circuit. Items such as suspension lugs, arming wires, braiding of umbilical cables, firing rails and
the structure of parent vehicles or launchers may be part of the RF pick-up circuit.
18
Figure B.6 Field Penetration of Apertures in a Metal Enclosure
B.3.2.5 An EED assembly, installed in a metal container such as a cartridge or shell case and accessed
via a connector mounted in the case, is relatively insensitive to RF when disconnected from the firing line
because of the inefficient coupling to the EED and the internal wiring. However, if during handling, contact is
made between the connectors and an external body such as the system structure, a length of wire,
screwdriver or the fingers of an operator, an efficient aerial may be formed which will pick up increased levels
of RF and feed it to the EED (Figure B.7).
Figure B.7 Operator Forming an Aerial
B.3.3 Induced Transient Energy
Switching transients are generated when circuits are energised or de-energised. The transient consists of a
damped oscillation, the basic frequency of which is dependent upon the length and electrical characteristics
of the wires and the components generating the transient. In installations where the wiring runs are shorter
than 30 m the basic frequency of the transients tends to be greater than 500 kHz but in longer lines the
frequency can be much lower. The opening or closing of switch contacts particularly those associated with
inductive loads produces most transients and they may be conducted to all the electrical circuits of an
installation served by a common power supply. In addition, the transients may be coupled
electromagnetically to other lines that run in close proximity to the lines carrying the transients. In general if
the firing lines are isolated from ground and are less than 1 m long or are greater than 50 mm from any cable
likely to carry significant transients there will be minimal coupling between the two. For other configurations
screening or shielding measures will be required. The results of some experimental work related to transients
are shown in Thales ME Ltd Report RHD 2033 [33].
19
B.3.4 Induced Low Frequency Energy
Electromagnetic coupling can occur between firing lines and adjacent lines that carry low frequency power
supplies in a manner similar to the induction of transients. The magnitude of the induced signal depends
upon the strength of the source signal, the proximity of the lines and the length of the run. For this reason
firing lines should not be included in cable bundles and should be separated from all power supply cables. In
general, for power lines of up to 20 A, where the length over which coupling occurs does not exceed 30 m,
the effect at power supply frequencies (5-2400 Hz) on non-electronic systems is small and can be
disregarded (particularly when the pick-up lines are open circuit at one end). However, when considering
electronic firing systems or where large power supplies are involved, particular attention should be given to
the possibility of inducing low-frequency EMI into sensitive signal leads irrespective of wiring configuration.
Rapid relative movement between an EED circuit and a DC or low frequency magnetic field will give rise to
inductive coupling which theoretically may induce sufficient power to fire a sensitive EED. Degaussing
systems (in ships and submarines) and deperming operations (in submarines) are the largest sources of LF
magnetic fields but provided the firing circuit does not have a large loop area these are unlikely to induce
sufficient power to directly fire an EED. The hazard can usually be addressed by a simple calculation. An
example calculation of the pick-up from a magnetic field is included in Part 3 Annex B. If a transformer is
used in a firing line, the pick-up from external magnetic fields will need careful assessment if the transformer
design does not adequately reject external magnetic fields.
B.3.5 Induction and Generation of Electrostatic Charge
B.3.5.1 Whenever a conducting body is placed in an electric field, such as exists between the earth and the
ionosphere, a potential will be induced on that body according to its position in the field. This potential (with
respect to earth) becomes considerable at high altitudes or in the proximity of a thunderstorm cloud where
voltages of 100 kV, or more, may be induced on a body. If the body has sufficient capacitance the resultant
charge can be significant.
B.3.5.2 Engine combustion, the rubbing of dissimilar substances and the blowing of dust, sand, dirt, snow,
ice crystals and rain against a body can also generate electrostatic voltages. A helicopter can achieve a
voltage of up to 300 kV (above local ground conditions) due to these charging processes combined with the
atmospheric electrostatic gradient (see Methods of Determining the Electrostatic Potential and charging
Current of a Hovering Helicopter [2] and AECTP 250 Leaflet 253 [3] Packaging materials and the human
body are also capable of charge accumulation and in certain conditions the human body charge can reach
25 kV.
B.3.5.3 The quantity of electrostatic energy that can be stored is a function of the voltage developed and
the capacitance of the body involved. The relationship between stored energy, capacitance and voltage is
given by:
1
E= CV 2
2
where: E = energy in joules
C = capacitance in farads
V = voltage on charged body in volts.
B.3.5.4 For a worst-case human body where V = 25 kV and C = 500 pF the energy E is therefore 156 mJ.
B.3.6 Hazards to EED from an Electrostatic Charge
B.3.6.1 Slow charge build-up. Electrostatic hazards to an EED generally arise from the sudden discharge
of energy from an external body rather than from the relatively slow accumulation of charge, although the
latter mechanism cannot be dismissed if the firing circuit or EED form part of the charging circuit. The degree
of hazard posed to an EED by a defined level of electrostatic charge depends upon the type of EED and the
circuit in which it is connected. As a number of low energy devices are single-pole, the EED case is part of
the return circuit and is normally connected to system ground (Figure B.8). The low resistance leakage path
to ground therefore prevents charge accumulation, although circuit design should always aim to prevent
charge accumulation at source.
20
Figure B.8 ESD Leakage Path of Single-Pole EED
B.3.6.2 An electrostatic charge on the firing lines of a double-pole EED, whether generated or induced, may
pose a hazard if allowed to discharge through the EED in the normal firing mode or to discharge between the
pins and EED case, via the explosive filling, in the abnormal mode (Figure B.9). It is considered unlikely that
sections of firing line normally encountered would be able to store sufficient energy to initiate a conventional
low voltage bridge-wire (BW) EED in the normal firing mode, but it is conceivable that such an EED,
dependent on design, could be initiated in the abnormal firing mode. In general though electrostatic hazards
are related principally to discharges from the external bodies (e.g. personnel and helicopters).
Figure B.9 ESD Double-Pole EED
B.3.6.3 An electrostatic discharge from an external body to EED firing lines could be dissipated via either
the normal or abnormal firing modes. For example, the charge acquired by a human being could be
discharged accidentally during handling and testing operations and would be potentially hazardous to a
sensitive EED. Alternatively one part of a system structure could accumulate a charge relative to another if
they are not well bonded. The sudden discharge of this energy could be directly onto a firing line or cause
pick-up on an adjacent firing line. Examples of such behaviour have been noted in service systems.
B.3.6.4 The inclusion of a filter in either a single pole or double pole circuit does not provide automatic
protection of an EED from an electrostatic discharge (ESD). Indeed the efficiency of the energy transfer may
be increased due to the storage of energy in the capacitor and its relatively slow release to the EED. For this
reason discharge resistors should always be included in filtered circuits.
B.3.6.5 The helicopter discharge level is generally only applicable to a weapon in the state in which it is
carried as an underslung load. It would therefore only normally be relevant to stores in their packaged state.
B.3.6.6 An ESD of more than a few J may also damage or cause operation of an electronic firing circuit.
All microelectronic fabrications are susceptible to damage at some level of electrostatic voltage. In particular,
unprotected Metal Oxide Semiconductor (MOS) and CMOS devices may be damaged by a human discharge
at as low as 75 V whilst protected devices may safely withstand levels approaching 4 kV. The latest
generations of semiconductor circuits with smaller gate sizes, lower operating voltages and higher speeds of
21
operation are extremely sensitive to ESD and can be permanently damaged by relatively low levels of
electrostatic discharge. ESD can also contribute to random failures occurring during the life of a device
because of latent ESD damage being aggravated by subsequent environmental stress.
B.3.7 Lightning Strike
B.3.7.1 The lightning discharge current, its rise time and its duration primarily determine the electrical
effects of a lightning strike on a metal structure. This current may rise to a peak value as high as 200 kA
within microseconds and take a few hundred microseconds to decay to zero. Lower levels of current of up to
800 A may then flow for up to 1 s. A lightning strike also produces a radiated EM field that can induce
currents in circuits and structures. The fields from a nearby strike can reach values of up to 3 MVm-1 at 10m.
AECTP 250 Leaflet 254 [4] provides a full description of the lightning environment.
B.3.7.2 The high currents follow the lowest impedance path to ground and in doing so can fuse wires, burn
holes in structures and burn out electrical equipments. Any resistance or inductance in the path of this
current may cause a high voltage to develop of sufficient amplitude to breakdown insulation and short-circuit
to nearby earthed objects or circuits. In addition (and probably the most likely risk for firing circuits), magnetic
fields produced by the primary current flow may induce secondary currents into adjacent firing lines of
sufficient amplitude to fire an EED directly, or indirectly by operation of safety breaks and firing switches.
Single-pole system-ground return circuits are particularly at risk from such currents because of the very high
voltages which may be developed between separate grounding points on a weapon structure and the
resultant possibility of breakdown or coupling across the safety switches (Figure B.10).
Figure B.10 Single-Pole Earth Return Firing System
B.3.8 Electromagnetic Pulse (EMP)
The mechanisms by which a nuclear EMP can subject an EED firing circuit to risk of premature initiation are
similar to those described for RF hazards in sub-clause B.3.2. The EMP field couples with the system
structure and cables, and currents of the order of hundreds of amperes may be induced. Additionally, the
flow of such large currents may develop potential differences sufficient to cause insulation failure in cables,
connectors and switching devices (Def Stan 08-4 [20]).
B.4 Test Equipment and Test Leads

Test equipment and associated test leads, if not satisfactorily protected, may pick up conducted and radiated
EMI or ESD and feed it to an EED firing circuit undergoing test, with the consequent risk of premature
initiation. EMI may also induce erroneous safe indications in test equipment.
B.5 Software and Complex Electronic Circuit Errors
B.5.1 Software, unlike hardware, is not subject to a wear-out mechanism. When a software fault becomes
apparent during the operation of a system it is not because of a physical failure of the software. The fault
22
becomes apparent because of specification, design or coding errors or omissions, which were not detected
during the software verification and validation phase. Software errors tend to be revealed as a consequence
of a particular set of input data and/or operational conditions which were either not anticipated by the design
or not fully tested. Such errors may cause a system to produce an erroneous output at a critical point in the
operational cycle.
B.5.2 Exhaustive system testing in the hope of revealing all errors is not possible or financially viable,
except perhaps in the very simplest systems and partial testing is likely to be inconclusive. Therefore, in
order to develop high integrity software it is essential to comply with the principles of design, design
recommendations and assessment procedures provided in Annex E of this document.
B.5.3 Many complex electronic design chips, such as Field Programmable Gate Arrays (FPGAs).
Programmable Logic Devices (PLDs) and Application Specific Integrated Circuits (ASICs) obtain their
functionality via a design/configuration process that involved software. Therefore, in addition to the safety
issues related to failure of the hardware components themselves, there are issues related to inadequate
specification and implementation of the programming process. This process must therefore also be subject
to similar procedures as those applicable to software in microprocessors. This is discussed further in
Annex D.
23
Annex C
Design Recommendations for EED and their Firing Circuits
C.1 Introduction
C.1.1 Careful observance of the design recommendations detailed in this Annex should ensure an
acceptably low probability of an EED being inadvertently initiated from the following causes:
a) Potential failure modes in the firing system leading to inadvertent application of power.
b) EMI.
c) Software errors.
C.1.2 When observance of the design recommendations can be demonstrated with respect to non-
electronic firing systems, sufficient confidence that the design is safe and suitable for service in the EM
environment may be achieved by a theoretical analysis. However, because of the complex and non-linear
response of electronic circuits in general to EMI, it is likely that firing systems, which utilise electronics, will
require some confirmatory EMC trial in accordance with Def Stan 59-411 [25], or similar, despite compliance
with the design recommendations.
C.1.3 The recommendations made in this Annex with respect to safety in fault conditions and when
exposed to electrical environments, apply to systems employing safety switches and firing switches and to
systems using electrical/electronic circuits to control initiation. The use of electromagnetic shielding and RF
filters to minimise the effects of EMI, and the precautions necessary to prevent ESD, lightning and EMP
hazards are equally applicable to electronic and non-electronic firing systems. For specific recommendations
concerning electronic controls used in firing circuits see Annex D.
C.1.4 Although EED are used in a wide variety of applications, as indicated in Clause 4 of the main part
of this Defence Standard, there are only two configurations in which the EED itself can be installed, known
as in-line or out-of-line. An in-line EED is so called because it is permanently aligned with the explosive/
pyrotechnic train which it is intended to initiate e.g. Thermal Batteries, cable cutters or demolition detonators.
Consequently, if the EED should be inadvertently initiated, the device in which it is employed will function. In
an out-of-line system, until it is armed, a mechanical shutter or a misalignment prevents the rest of the
explosive train initiating. The EED electrical firing circuit may also be interrupted. Mechanically shuttered
systems are normally employed in conjunction with low voltage EED. Almost all applications of out-of-line
EED systems are concerned with the initiation of warheads, break-up units or rocket motors.
C.2 An Idealised Firing Circuit
C.2.1 A simple idealised firing system is shown in Figure C.1. The EED, firing lines, safety and firing
switches and power supply are completely enclosed within an electromagnetic shield with no wiring or
control shaft being allowed to penetrate the shield. Any external components such as the means of operating
the firing and safety switches should be engineered so as not to degrade the effectiveness of the shield. The
shield should be capable of attenuating incident electromagnetic fields by an amount sufficient to ensure that
any pick-up does not exceed a specific level, relative to the NFT level of the EED (or to the malfunction level
of associated electronics). The degree of attenuation required of the shield will be a function of frequency,
the specified RF environment, the sensitivity of the EED and the pick-up characteristics of the wiring.
Microelectronic devices and microprocessors are particularly vulnerable to EMI because of their low
operating threshold. They should therefore be completely contained within an EM shield and every conductor
which breaches the EM shielding should be adequately protected against EMI. (It should be noted that the
idealised circuit would not meet the requirements for a warhead SAU, a rocket motor safety device or for
nuclear weapon applications.)
24
Figure C.1 Simple Idealised Firing Circuit
C.2.2 Although an all-embracing electromagnetic shield is very effective, its application is restricted to
simple firing systems operating from an individual power supply with compact safety and firing switches and
short wiring lengths. Whenever practicable, designers should take advantage of optoelectronics technology
due to the immunity of fibre-optic cables to the effects of EMI. It is still essential, however, to ensure that all
electronic interfaces are fully protected from the EM environment. An EED firing system should also be
designed to remain safe and serviceable when the weapon in which it is employed is subjected to the
mechanical and climatic environments specified for that particular weapon system.
C.3 Electro-Explosive Devices
C.3.1 The principle in this Defence Standard, sub-clause 5.2.3 and in the guidance at Annex A,
emphasises the desirability of using relatively insensitive EED that will still meet the requirements of the
system. The chosen EED must have authorised No-fire Threshold (NFT) characteristics so that the level of
energy and power, to which the EED can safely be subjected, may be confidently understood. Part 2 Annex
A contains a list of EED which have been previously characterized and lists their NFT parameters. Use of
one of these devices would not normally require further characterization and is therefore recommended
where possible. Where for system design considerations a new device is used then it must be characterized
in accordance with Part 2 of this Def Stan. In order to reduce the possibility of inadvertent initiation by RF
absorption a double-pole EED is preferred whenever practicable (see sub-clause C.7.4.5).
C.3.2 EED characterization requires between 150 and 300 EED, depending on the EED response
characteristics. The sensitivity of EED has been shown to decrease with frequency so that the direct current
(dc) sensitivity, being the worst case, is generally used in electrical and RF assessments. However, where
measurement uncertainties occur at dc, it has sometimes been necessary to establish sensitivity parameters
at radio frequencies. In addition up to 50 EED may be necessary for ESD sensitivity tests.
C.3.3 Low voltage EED such as Conducting Composition (CC) and Film Bridge (FB) devices, which could
be susceptible within the duration of a single radar pulse in a repetitive pulse environment, should be
confined in their use to those weapon systems for which there is a clear need for fast functioning.
C.4 Power Supplies
C.4.1 It is recommended that dc or low-frequency (<10 kHz) power supplies are used to initiate low
voltage EED in order to allow the use of low-pass RF filters to protect an EED from EMI.
C.4.2 If a power supply used to initiate an EED is also used to power other services, as much as possible
of the total system should be screened. Sections far removed from EED firing lines may appear to have no
bearing on the safety of an EED, but there is always the danger that EMI will be conducted to a sensitive
circuit or be fed to an EED via stray capacitance or common impedance coupling.
25
C.5 Firing Circuits
C.5.1 EED in In-line Systems
C.5.1.1 The safety of a fully manually controlled firing system (e.g. to fire a gun or a demolition charge) is
dependent on the degree of isolation of the EED from the source of firing power (i.e. on the reliability of
conventional manual switches of the toggle, push button or rotary type (Figure C.2) and on the prevention of
inadvertent manual operation).
Figure C.2 Simple Firing Circuit
C.5.1.2 In other applications, such as the operation of gas generators or explosive bolts, the EED may be
initiated automatically on receipt of signals from timers or sensors, which respond to stimuli experienced
during deployment of the munition. Safety is again dependent upon isolating the EED from the source of
firing power until initiation is required but now the reliability of the associated timers, sensors etc., and any
potentially hazardous failure modes they may have, needs careful consideration.
C.5.1.3 Currently, low-voltage BW EED use relatively sensitive primary explosive compositions that
preclude their use in in-line fuzing or rocket motor initiation systems. There are two types of EED currently
available for use in such in-line systems; the Exploding Bridge-Wire (EBW) and Exploding Foil Initiator (EFI).
These require a high voltage firing pulse for initiation which may be provided by a pulse forming network
containing a capacitor charged to 1 kV or more.
C.5.1.4 To reduce the risk of inadvertent initiation of a warhead or rocket motor to an acceptable level
during transport, storage, handling and when deployed, the in-line firing capacitor is prevented from being
charged by an Electronic Safety and Arming Unit (ESAU). For a warhead, charging must be prevented until
(as a minimum) the specified safe separation distance has been achieved. Since dudding of High Voltage
(HV) EED occurs at a capacitor voltage considerably lower than the NFT and it is necessary to ensure that
neither the firing nor damage threshold voltage is reached, RADHAZ assessments of in-line fuzing/initiation
systems are generally made using the malfunction thresholds (defined as voltage on the firing capacitor and
power to the bridge which cause the EED to be damaged or unable to fire) rather than the NFT. [Note that in
US assessments the threshold is generally taken as 500 V to which a safety margin is then applied
(generally 15% = 75 V.) Whilst this has merit in being simple to apply and common to all systems in UK it
would normally be expected to use the actual MFT (derived in accordance with Part 2) and a safety margin
as discussed in Part 3.]
C.5.1.5 In practice the use of static switches to enable charging of an in-line warhead/rocket motor firing
capacitor, as illustrated in Figure C.3, is not permitted by STANAG 4187 [30] or STANAG 4368 [31]and a
dynamic switch to protect against short circuit failures is required. A block schematic of a more typical
Electronic Safety and Arming Unit (ESAU) is shown in
26
Figure C.4. The mechanical or electromechanical switches are replaced by static and dynamic
semiconductor switches configured to satisfy requirements for a fail-safe safety feature (see Annex D) in
addition to a trigger switch.
Figure C.3 Idealised In-line Fuzing System for Warhead Initiation
D Firing Signal
+V SS1
Triggered
S1
switch
DS
Logic Devices In-line
S2 HV EED
C R R
-V T
SS2
S1 - First Environmental/Event Sensor T LV to HV Transformer

S2 - Second Environmental/Event Sensor D Diode/Rectifier
SS1 - First Static Switch C - Firing Capacitor
SS2 - Second Static Switch R - Parallel Discharge Resistor
DS - Dynamic Switch
Figure C.4 Typical Non-interrupted Explosive Train Safety and Arming Device
C.5.2 EED in Out-of Line Systems
C.5.2.1 When the EED is out-of line, the design is such that, should the EED be inadvertently initiated, the
effect will not result in the functioning of the explosive train. Its inadvertent initiation is therefore normally a
reliability problem, not a safety problem.
C.5.2.2 To ensure safety in operational use, the shutter is designed to respond only to specific unique
environmental forces experienced by the munition during deployment. The system is considered armed
when the shutter has been removed or the EED has been moved to the in-line position. In some
systems additional safety features may be in place to prevent firing until later in the munition
flight/use.
C.5.2.3 The availability of firing power is controlled by safety switches and arming switches, which are
closed in a predetermined sequence, to prevent arming until required. Some safety switches are designed to
27
function upon the application of a physical stimulus such as pressure or acceleration. Figure C.5 depicts a
generalised firing system. Electro-mechanical and electronic switches will require an electrical stimulus,
which is a trigger-signal. Trigger-signal generating circuits might be activated directly by sensors, which
monitor environmentally derived stimuli, or indirectly by such sensors providing an input to a microprocessor
system under the control of software.
Figure C.5 General Firing System
C.5.2.4 In a bomb or shell fuze application, the environmental forces that operate the shutter might also be
used to activate the source of firing power. In such applications an electronic timer might be used to delay
arming until late in the flight. The timer effectively determines the safe separation distance and consequently
careful assessment of its reliability and degree of immunity to EMI will be required. The timer must not be
subject to a failure mode that results in early arming. Such a failure mode might hazard an aircraft releasing
a bomb, or put at risk friendly troops over whom a shell may be fired.
C.6 Firing and Safety Switches
C.6.1 Firing circuits should be so designed that when initiation of an EED is unacceptable, there should
be at least two independent circuit breaks, connected in series between the EED and its source of firing
power. In the case of nuclear munitions additional safety breaks are required and reference should be made
to the relevant safety authority for this aspect of the design.
C.6.2 All switches associated with the launch or firing sequence should be designed so that it is possible
to return them to their open-circuit condition, in the event of a misfire or cancellation of firing, so that the
required level of safety can be restored.
C.6.3 The use of double-pole switches is preferred (see sub-clause C.7.4.5)
C.6.4 The last switch to be closed, that is that switch which completes the firing circuit and thus initiates
an EED, should be placed as close as possible to the EED. The firing lines between that switch and the EED
should be fully screened to provide protection against radiated EMI. The capacitance across a switch should
be as low as possible and preferably not greater than 1 pF.
C.6.5 Switches should be designed to respond only to their intended stimuli. Electrically operated
switches should be immune to operation by EMI; electromagnetic relays and solenoid operated rotary
switches are very robust in this respect. Cyclic time delay switches, programme motors and similar devices
28
used in a firing circuit, where safety is dependent on a rotor being set at a start-position, should be provided
with a positive means of checking that the rotor is at the start position.
C.6.6 Post-launch safety switches/sensors should utilise an operating stimulus that can only be
experienced as a consequence of weapon operation. Examples of such stimuli are acceleration, rocket
motor pressure, water pressure, the force exerted by a lanyard, etc. Provided that it can be shown that
components designed to respond to a particular stimulus do not respond to other components of the
specified mechanical and climatic environments, and are not susceptible to hazardous failure modes, they
should prove to be safe and suitable for service in munitions.
C.7 Firing Lines
C.7.1 Firing lines should be kept as short as possible and positioned close to any shielding structure,
avoiding apertures likely to be exposed to the EM environment. They should also be routed separately from
lines which carry other electrical services in order to avoid induction of EM energy caused by, for example,
transients and low-frequency power supplies, and to minimise the risk of an accidental short-circuit to power
lines. When it is unavoidable that firing lines share a wiring loom and an electrical connector with other
conductors, the connector pins used for the firing lines should be protected from the electrical services
connected to the other pins by an isolating barrier or a ring of earthed pins.
C.7.2 Single-Pole Firing Lines
C.7.2.1 Single-pole unscreened firing systems are not recommended. Although they can be designed to
remain safe and serviceable in a specified RF environment by the application of screening and filtering,
safety switches can still be susceptible to voltage breakdown which could arise as a consequence of the high
currents induced into a weapon structure by an EMP or lightning event (Figure C.6). For this reason double-
pole screened firing lines are preferred. Where an EED with a case return is essential the return line to the
power source should be via a dedicated wire and not use the system structure.
Figure C.6 Single Pole Ground Return System
C.7.2.2 If a single-pole system with ground return cannot be avoided, the resistance of the earth, or system
ground return, should be as low as possible and preferably not greater than 50 m. Single-pole firing
systems with parallel EED should not be used in any circumstances since the EED firing circuit can form a
circuit loop (see Figure C.7) in which the safety switch affords no protection whatever against induced
current.
29
Figure C.7 The Hazard to Parallel EED in a Single Pole Ground Return System
C.7.3 Double-Pole Firing Lines
C.7.3.1 Balanced mode EMI in a double-pole circuit will be reduced if the wires are held close together
throughout their length. A double-pole circuit is best when isolated from ground, particularly at the EED
termination, to minimise the effects of common mode pick-up (see Part 3 Annex C).
C.7.3.2 Twisting the firing leads can reduce susceptibility to balanced mode EMI by ensuring a minimum
wire separation and reducing irregularities. Whether the firing lines are closely laid parallel pairs or twisted
pairs, a double-pole circuit will be susceptible to common mode EMI to exactly the same degree as a single-
pole circuit of the same configuration.
C.7.4 Screening of Firing Lines
C.7.4.1 Flexible braiding (of optimised weave) or rigid screening such as ducting or conduit placed around
the firing lines will significantly reduce pick-up across the frequency spectrum of concern. Screening,
correctly applied, can give considerably greater than 20 dB protection against most EMR sources. In
common with the shielding requirements of the idealised system (Figure C.1), the braiding in conjunction
with the metal screens of associated junction boxes should cover the whole installation (including the power
supply and all other circuits fed by the power supply) to be effective. If firing lines share a wiring loom with
other power/signal lines, they should be separately screened and not simply share the overall loom screen.
When a system employs more than one EED, the firing lines to each EED should be individually screened to
prevent mutual electromagnetic coupling.
C.7.4.2 The screening braid of firing lines must always make a 360 peripheral contact with the backshell of
any connector. It is essential to ensure that the braiding is not formed into a pigtail and terminated on the
outside of the connector or fed through a plug and socket via one of the pins. The former will result in an
unscreened portion of wiring while the latter will reduce the shielding effect by introducing RF into the
shielding enclosure.
C.7.4.3 Since unscreened sections of a firing circuit may be subjected to EMI, it may be necessary to fit RF
filters in the firing lines (see Clauses C.8 to C.10. Firing circuits which are only partially screened should
have their earthing or grounding arrangements carefully specified so that any EMC assessments (or trials
that may be necessary) can be carried out on a representative build standard. When it is not practicable to
screen a complete system, the screening of the firing lines should commence at the EED shield and extend
as far as is possible upstream towards the source of firing power. For EMC purposes, the screen should be
grounded at the point where the firing lines emerge from the local shielding. When there is an EMP
environment specified for a particular weapon system, it is recommended that either single point or
herringbone earthing, or grounding, be implemented (Figure C.8).
30
Figure C.8 Earthing/Grounding Schemes
C.7.4.4 The screening braid of a firing line must NOT be used as the return circuit. For this reason coaxial
firing lines are not recommended unless further adequate screening is employed.
C.7.4.5 Cables employing double-braided shielding offer significantly greater attenuation of EMI than do
cables employing a single-braided shield, provided that the shields are insulated from each other except at
their terminations. It is recommended that twisted, or closely laid parallel, screened pairs be used for all
double-pole firing systems, in conjunction with double-pole firing and safety switches and overall EM
shielding (Figure C.9).
Figure C.9 A Fully Screened Modular Firing System
C.7.5 Ribbon or Thin Film Cable
C.7.5.1 Where firing lines are included in multi-strand ribbon cable the firing lines should use adjacent
conductors and should be isolated each side from other power circuits, ensuring the isolation is maintained
at the connector. Screening of such cables is difficult and should normally be achieved by installing in a
shielded enclosure.
C.7.5.2 Thin film cables used to initiate high voltage devices such as EFI should be kept as short as
possible maintaining low inductance but, due to their low susceptibility to RF, normally need not be
screened.
C.7.6 Printed Circuit Boards
Due to the difficulties during a hazard assessment of determining the isolation of firing lines included on a
motherboard this practice is not recommended. Where it is not possible to isolate firing lines from a
motherboard or printed circuit board, the firing lines should be laid as close parallel pairs. The lines should
also be segregated as far as possible from other lines which carry sufficient current/voltage to initiate the
circuit. On a multi-layer board the assessment should include the isolation of the circuit(s) from other circuits
on adjacent layers. Where appropriate, screening between layers should be considered. This applies
31
especially at the connectors where interconnecting pins can be in close proximity with other power lines on
boards many layers below or above that of the carrier.
C.7.7 Firing Line Connectors
C.7.7.1 Electrical connectors employed in firing lines should be so designed that:
a) It is possible to make connection only with the intended connector.
b) When disconnected, it is impossible for an operator or an external structure to accidentally touch any
pins connected to an EED. Wherever possible firing lines connected to EED should be terminated at
recessed female pins.
c) The connector shells have a good conducting finish and they make connection and provide 360 RF
shielding before any pins make connection.
d) The termination arrangement for cable screening braid provides a 360 peripheral contact.
C.7.7.2 To ensure a sound RF leak-proof connection the mating halves of a connector should be secured
by a threaded coupling preferably fitted with RF fingers. Bayonet coupling connectors, for example, are
unsatisfactory unless they incorporate spring finger grounding contacts. Fixed connectors should make a
reliable and consistent contact with the bulkhead to which they are fitted. Circular-flange connectors secured
by a single fixing nut are satisfactory in this respect. Rectangular connectors secured by fixing bolts may be
less satisfactory, as the connector flange may distort between the fixing bolts and allow RF energy through
the gap created. In such cases it will be necessary to fit an effective RF gasket between the connector and
the bulkhead which is capable of accommodating the distortion (see Clause C.15).
C.7.7.3 When a firing line connector is mated in a high intensity RF field, arcing may occur which could
result in some rectification of the RF pick-up, producing signals within the pass band of a low pass filter. This
potential hazard can be circumvented by the choice of a connector which meets the requirements of
sub-clause C.7.7.1 c), and by avoidance of high intensity RF fields during connection.
C.8 RF Filters
C.8.1 Filters which are described as micro or miniature are unlikely to be physically robust enough to
handle significant RF power dissipation without losing attenuation performance. Filter arrays, where the
filters are pre-mounted on thin metal plates or filters which are mounted in structures which do not cover
most of the filter body (such as filter connectors) are also unlikely to be able to dissipate sufficient RF power
to maintain the attenuation required to directly protect many EED from the full Minimum Service RF
Environment (MSRFE). These RF filters are discouraged when used directly between the firing circuit and
the EED as the only protection. It is generally accepted that most other filters are capable of continuously
dissipating 2 W of RF power without unacceptable degradation of their attenuation versus frequency
characteristics. For protection of EEDs, however, 2 W dissipation may be inadequate in many circumstances
although the power dissipation requirements of filters can be significantly reduced by careful layout of the
firing lines (e.g. using twisted pairs and screening).
C.8.2 When installing an RF filter it is essential that the filter is correctly bonded to the shield in which it is
mounted, otherwise RF leakage will occur. Filters should be mounted as closely as possible to the EED
being protected.
C.8.3 Since filter attenuation, as measured by standard insertion loss tests, cannot necessarily be
achieved in practical circuits involving EED (due to the low impedance of the EED) it is recommended that
when assessing the performance of a filter in an EED circuit a reduction factor on the manufacturers quoted
attenuation is used. A factor of 20 dB should be subtracted for low pass pi-section filters, 13 dB for low-pass
L filters, and 6 dB for low-pass T filters.
C.8.4 DOSG (and predecessors) have qualified a small number of filters that are capable of continuously
dissipating 10 W of RF power in accordance with Thales ME Ltd Report DMP 11928 [32] Filters having a
10 W rating have been assessed to reliably maintain their attenuation whilst in the specified minimum
services RF environment at all frequencies, provided that their exposed firing leads meet the following
criteria:
32
a) Their overall length does not exceed 2 m, or
b) Their average separation from each other or ground does not exceed 12 mm, or
c) They are protected by a shield or screen which is effective at frequencies up to at least 30 MHz.
C.8.5 The above does NOT imply an increased power rating.
C.8.6 Where high power dissipation is not required filter connector pins, preferably of the feed-through
type, (which may not meet the requirements of Ref [32]) may be used as an alternative to discrete filters,
particularly where low-frequency attenuation is necessary.
C.8.7 In firing circuits incorporating RF filters, semiconductor or rectifying devices should not be
connected in series or parallel with the firing lines between the filter and the last open-circuit break. Such
components will rectify any conducted RF signals and may produce a uni-directional signal against which a
low-pass filter will provide no protection.
C.8.8 Filters cannot normally be used to protect high voltage EED, e.g. EBW and EFI, against EMI
because their series inductance and shunt capacitance preclude the very rapid rise time of the firing pulse
necessary for high voltage initiation. Although it is not credible that an approved high voltage EED could be
initiated as a consequence of EMI, it is conceivable that EMI might result in dudding (see Part 2
sub-clause 4.3.3) of a high voltage EED. It is important therefore that any high voltage EED installation,
including any associated electronics, should be adequately shielded from the EM environment.
C.9 RF Filter Modules
C.9.1 When an EED is incorporated with suitable RF filters in an electromagnetic shield, as shown in
Figure C.10, the assembly is referred to as a RF filter module. Such a module can be made relatively
immune to both the conducted and radiated EMI likely to be experienced in the service EM environment.
Bench testing without the need to involve the complete weapon installation can prove the integrity of a
module.
C.9.2 Given an effective electromagnetic shield in which connectors and filters are mounted according to
sub-clauses C.7.7.2 and C.8.2, a module incorporating a filter of adequate power rating can provide
complete protection to an installed BW EED. For CC or FB EED (which are susceptible to pulse power) the
configuration and screening of the external firing circuit must be considered as the filter module alone may
not be sufficient.
Figure C.10 RF Filter Module
C.10 Filtered Connectors
C.10.1 Filtered connectors are available with a range of filter-pin sizes and electrical characteristics. This
type of connector may also be suitable in multi-way connectors for protecting inputs and outputs associated
with the use of microelectronic devices and microprocessors against the effects of conducted EMI (see
33
sub-clause C.7.7 The inclusion of feed-through pins, i.e. unfiltered pins, will severely reduce the overall
effectiveness of a multi-way filtered connector and such pins should not be used.
C.10.2 Filtered connectors can have various combinations of pins of nominal inductance and capacitance
depending on the required attenuation versus frequency characteristics. Since RF interference current is
likely to be common to all conductors within a cable, there is little point in selecting different values of filter-
pin within any one connector. The choice of electrical characteristics should allow maximum attenuation
down to the lowest possible frequency consistent with the bandwidth of the signals being processed.
C.10.3 A filter capacitor requires consistent low RF impedance to ground in order to function efficiently.
For this reason, filtered connectors which utilise all-metal grounding paths are preferred to those that depend
upon metal loaded compounds that may deteriorate with age and introduce increasing RF impedance to
ground.
C.10.4 Most filtered connectors are compatible with their unfiltered counterparts. Although free
connectors are available with filter-pins these should generally be avoided. For optimum performance the
filter-pins should be in the fixed connector.
C.10.5 Filtered connectors should also be compatible with the mechanical and climatic environments
specified for the particular weapon system in which they are to be incorporated.
C.11 Optoelectronic Components
C.11.1 When designing an EED firing system consideration should be given to the use of optoelectronic
interfaces linked by fibre-optic cables, because such cables are totally immune to EMI. However
semiconductor light-sources, photo-detectors and associated electronics still need full protection from the
EM environment. If an EED firing system incorporating optoelectronic techniques is required to remain safe
and serviceable when subjected to a nuclear environment, due allowance should be made for potential
degradation caused by radiation damage.
C.12 Electrostatic Discharge
C.12.1 AECTP 250 Leaflet 253 (Ref [3]) defines the worst-case electrostatic environment that may be
encountered by munition/weapon systems during handling, transportation and deployment.
C.12.2 To minimise the possibility of introducing an electrostatic charge on the firing lines from an
externally charged body, all plugs and sockets fitted in a firing system should be connected so that the firing
lines from an EED are terminated at recessed female pins of a connector.
C.12.3 Cartridges, ammunition and any system which has an EED firing line/pin capable of being touched
during normal use, should have recessed firing contacts in their base/connectors so that accidental contact
between them and other bodies, which could be electrostatically charged, is minimised. In addition the EED
to be used should be immune to the maximum personnel ESD level defined in Ref [3].
C.12.4 The electrostatic charge that can be accumulated on a firing line should be assessed in
accordance with Annex B.3.6. When carrying out this assessment it should be borne in mind that in a
double-pole system discharge of stored electrostatic energy can also occur between either of the lines and
the EED case. This could result in the abnormal mode of firing of the EED. Discharge through the filling of
most EED would require a potential of at least 1 kV but only relatively low amounts of energy may be
required to initiate the EED.
C.12.5 If the quantity of stored energy can exceed a safe level relative to the NFT level of an EED or pose
a risk of damage to associated electronics, discharge resistors shall be fitted to every section of line involved
(Figure C.12). Discharge resistors should consist of parallel pairs to avoid loss of protection in the event that
one resistor should fail open-circuit. The value selected will depend upon the characteristics of the EED and
the firing supply.
34
Figure C.11 Protection from Charge Accumulation
C.13 Electromagnetic and Electrostatic Shielding
C.13.1 Shields intended to attenuate uni-directional and low frequency (power frequencies) magnetic
fields must necessarily be constructed of magnetic materials having a high value of permeability, such as
permalloy. Such a material provides a low reluctance path for magnetic flux and thereby diverts flux from the
area to be shielded. However, due to the low levels of power that can be induced on firing circuits this type of
shield is only likely to be required in areas of very high fields or for circuits that use a ground return or which
have an exceptionally large loop area.
C.13.2 For plane transverse electromagnetic waves at higher frequencies, satisfactory attenuation may
be achieved by either magnetic or non-magnetic materials having high electrical conductivity (e.g. copper,
aluminium or brass). Both electric and magnetic fields decrease with penetration falling to 37% (i.e., 1/e) of
their surface value in a distance () known as the skin depth:
1
=
0 r f
where = conductivity (S m -1)

o = permeability of free space (4 x 10-7 H m-1)
r = relative permeability of medium.
f = frequency in Hz
= skin depth (m)
C.13.3 The thickness of the shield used should not be less than 5 times the skin depth at the lowest
frequency to be shielded.
C.13.4 Any conductor may be used as an electrostatic shield. There are no particular requirements with
respect to thickness or resistivity; all that is required is that lines of electrostatic flux be provided with a
conductor on which to terminate. To be most effective an electrostatic shield should present a continuous
35
closed surface, but even a screen or grid of wires will provide a reasonable degree of shielding. Shielding
designed to protect against magnetic fields will also provide protection from electric fields.
C.14 Shielding Due to System Structure
C.14.1 A metallic structure can exhibit a high degree of RF attenuation provided it forms a complete
enclosure. Holes, joints and intermittent seams degrade the screening effectiveness. These defects will
introduce frequency selective leakage, which can in extreme cases, enhance the local internal RF field
intensity to a level comparable with or higher than that incident on the enclosure. The susceptible
frequencies will depend on both the dimensions of the holes and slots and the dimensions of the enclosure
cavity.
C.14.2 A large metallic structure will itself exhibit multiple surface current resonances that will enhance
the field intensity at any surface discontinuities. An internally or externally mounted sub-assembly located in
the vicinity of a discontinuity will experience the enhanced field intensity at the resonances. This feature must
be considered when testing sub-assemblies in isolation as, when they are finally installed, they may well
experience higher field intensities than the nominal incident field.
C.14.3 If the structure is to provide an effective EM shield then continuous metallic contact must be
maintained between all joints used in its fabrication. Such surfaces must therefore be free of all insulating
coatings and be of materials that will resist corrosion in the climatic environment specified for the installation.
Alternatively, mating surfaces may be protected by an electrically conducting coating. Where contact cannot
be maintained, for example due to vibration or structural design, it will be necessary to fit an RF gasket which
is capable of accommodating the distortion. Tests on some aluminium foil bags which use non-conducting
glues for the seams or which have plastic coatings have shown little or no attenuation in the GHz bands.
C.14.4 Provided that there are no open doors or windows of non-metallic material in the structure, and
that adjacent metalwork panels are either joined at the junction or connected by point dc contact at intervals
of not greater than 0.125 (at the highest frequency of concern), such structures should provide at least
20 dB attenuation although this may not be sufficient to provide full protection for the EED when in the
service electromagnetic environment. Shielding attenuation tests will be necessary to justify claims for higher
attenuation or significant attenuation at frequencies above 500 MHz.
C.14.5 Consistent with these requirements the system structure may be used to form part or the whole of
the shield, provided care is taken to select metals of compatible contact potentials to avoid corrosion so that
an effective RF shield is maintained at all interfaces throughout the service life of the installation.
C.14.6 The only satisfactory method of determining effectiveness of joints in RF sealing is to carry out RF
measurements. DC continuity checks across joints give no indication of effectiveness at RF.
C.14.7 Provided that the shield conforms to the requirements stated above and is free of any
discontinuities and slots or holes larger than 1 mm in their longest dimension, it will adequately attenuate EM
fields at all frequencies in the minimum service RF environment (Annex H). Figure C.12 illustrates correct
and incorrect techniques with respect to the design of joints and apertures in EM shields.
C.15 RF Gaskets
C.15.1 If RF gaskets are to be employed, the following features must be adopted:
a) The gasket material shall be highly conductive, corrosion resistant and compatible with other mating
surfaces.
b) All mating surfaces shall be clean and conductive.
c) The gasket shall be sufficiently thick and resilient to accommodate unevenness in the joint surfaces and
any compression-set that may arise in use and throughout service life, including maintenance routines.
d) The average pressure applied to the gasket shall be sufficient to ensure a RF leak-proof joint without
risk of damage to the gasket or of unacceptable compression-set.
36
C.15.2 Gaskets constructed from knitted, expanded or woven metal are generally satisfactory because of
their high conductivity and ability to cut through any surface film which may form on mating surfaces. Best
results are achieved when a pre-formed gasket is fitted in a suitable groove machined in the interface.
C.15.3 Gaskets required to perform the dual role of RF and climatic seal may be constructed, for
example, from metal mesh filled with neoprene or silicone rubber, or from a conducting elastomer which
consists of finely divided conducting particles in silicone rubber. The shielding performance achieved will
depend upon the choice of gasket material, the contact surfaces and the applied pressure and will therefore
depend upon the particular application. Where the gasket is used in a dual role the hermetic material must
be capable of protecting the RF material from the extreme environments.
C.16 Protection Against EMP

Not all systems are required to be protected against nuclear effects and frequently only exo-atmospheric
EMP has to be considered. The remainder of this section therefore only considers this threat. Where other
nuclear effects are to be designed for specific advice should be sought. The need to be protected against
EMP should be identified in the Users Requirement Document. The design recommendations concerning
the use of EM shielding and RF filters intended to protect EED and their firing circuits from the effects of
conducted and radiated EMI, and which are detailed in Clauses C.8 to C.15, are equally applicable to
protection from EMP. Additionally, it may be necessary to incorporate some form of surge arresting device,
the important characteristics of which are switching speed and threshold voltage, self-capacitance and the
ability to self-extinguish at the conclusion of the EMP. Such a device must not degrade the normal operation
of the firing circuit, or the protection provided against EMI (see sub-clause C.8.7). When an EED firing
circuit is a component part of a complex weapon system which is required to be nuclear hardened, the EMP
threat to the firing circuits should be considered as part of the EMP threat to the system as a whole. Detailed
information concerning design techniques and protective measures is contained in Def Stan 08-4 [20].
C.17 Protection Against Lightning

A high level of protection against lightning can be afforded to EED firing circuits provided that the weapon
casing or skin in which the circuit is contained has a metallic skin and has contact impedance between all
metallic components of the casing of less than 0.05. This impedance needs to be maintained at
frequencies up to about 1MHz and at the current levels likely to be experienced. In addition, double-pole
wiring, isolated from ground, should be used. However, there are various mechanisms by which lightning can
induce currents on firing lines so the overall hardness of a system against either direct, indirect and nearby
lightning strike needs to be assessed in a lightning hazard design assessment. Details of the environment
and assessment/test requirements are given in AECTP 250 Leaflet 254 [4] and AECTP 500 Leaflet 508/4 [8]
respectively.
37
Figure C.12 Correct and Incorrect Techniques for the Design of Joints
38
Annex D
Design Recommendations for Electronically Controlled EED Firing
Circuits
D.1 Introduction
D.1.1 The assessment of the safety and suitability for service of an electronic circuit which employs, for
example, manual switches, can normally be made with a high degree of confidence because safety is
dependent on devices which are visible, and which have a long history of safe and reliable use in weapon
systems in the service environment.
D.1.2 The use of microelectronic devices and microprocessors with associated software to control
electromagnetic relays or semiconductor switches makes confident assessment much more difficult because
those elements of the system, on which safety is dependent, are no longer visible. Furthermore the long-
term reliability of the latest generations of microelectronics, when subjected to a weapon system
environment, is uncertain and less predictable. A weapon which includes microelectronics in its firing system
will also be required to remain unaffected for a number of years whilst dormant in a relatively benign
climatic/mechanical and electromagnetic environment followed by a short active period in a harsh
operational or training scenario when the circuits will require to be safe frequently without the ability to carry
out any initial testing.
D.1.3 Although simple microelectronic devices in general have been shown to be very reliable, much of
the reliability data available has been generated as a consequence of frequent operation in a relatively
benign environment, rather than as a consequence of one-shot operation in a harsh environment as
experienced by most weapon systems. Moreover, the rapid development and increased miniaturisation of
complex microelectronics means that reliability data is not always available or relevant. These trends also
introduce other potential damage mechanisms such as single event upsets and charge loss. Further the
requirement to use lead free solders has introduced the risk from tin whiskers causing short circuits on
printed electronic boards which have a high packing density.
D.1.4 Although single semiconductor switches (e.g. FETs) are now mature it is nevertheless considered
advantageous to incorporate an independently controlled switch (which provides a physical break in the firing
circuit see Figure D.1) if the firing system employs microelectronic devices and microprocessors. It is
recognised that this will often not be feasible and in such cases the safety analysis and testing will need to
address all possible failure modes of the electronic devices.
Figure D.1 Use of Independently Controlled Switch to Provide a Physical Break
D.1.5 The hazard arising from short-circuit or open circuit failure of semiconductor safety features can be
overcome without recourse to a separate physical break by using an ac coupled circuit and dynamic switch
(as required for an in-line warhead fuzing system).
39
D.1.6 In order to assess an electronic or microprocessor based firing system, evidence will be required of
conformance with the design recommendation given below and in Annex E. Strong justification will be
required for any deviation from these recommendations.
D.2 Design Recommendations
D.2.1 General
D.2.1.1 In order to maximise confidence in an assessment of safety and suitability for service of an EED
firing system that incorporates microelectronic devices and microprocessors with associated software, the
following recommendations should be regarded as a minimum:
D.2.1.1.1 Selection of the most mature microelectronic technology capable of meeting the design
requirements, that is, one which has a history of safe and reliable application based on approved
components of an agreed quality. Component selection and circuit design should follow conservative design
principles. Components should be de-rated and not be required to operate at their full specified level. All
appropriate tools and simulations should be used to aid design and demonstrate circuit operation.
D.2.1.1.2 The selected components should be subjected to a stringent reliability screening process.
D.2.1.1.3 The use of FTA and/or FMECA on the system during the design and development phases, and
on chilled and frozen designs in order to ensure that the requirements of the Principles of Design, in
sub-clauses 5.2.3 and 5.2.4 of this document are satisfied and that safety targets have been met.
D.2.1.1.4 Minimise potential EMI problems, by selecting technology which has levels of switching-
threshold voltage and noise-margins which are as high as possible.
D.2.1.1.5 Ensure that all microelectronic devices and microprocessors are fully protected against the
specified EM environment by means of RF filters and EM screening and shielding. Particular care is needed
when systems containing such devices are likely to be subjected to the peak-power of a pulsed-radar
environment.
D.2.1.1.6 Ensure that an adequate level of testing is carried out during the design and development
phases, and during Production Acceptance Testing (PAT), which is aimed at producing satisfactory evidence
in support of safety and suitability for service criteria. All safety-critical functions should be subjected to 100%
PAT. Design proving and where relevant production tests should include safety tests at input parameter
levels and durations which are outside the normal expected range for such signals. Tests for safe operation
in the presence of predictable faults which may occur on safety related parts of the system should also be
conducted. All inhibit and interlock functions should be explicitly tested during PAT.
D.2.1.1.7 All equipment containing electrical, electronic and electromechanical components and which
can be functionally tested as a self-contained item, should be subjected to EMC susceptibility testing Such
testing should ensure that any fundamental EMC weakness of the equipment is rectified before it is
integrated into, and tested in, an overall firing system in accordance with Def Stan 59-411 [25]. Once
installed in a system a full EMC test of that system in all operational modes should also be carried out.
D.2.2 Firing Circuits With Physical Breaks
Since semiconductor switches may fail short-circuited their use directly connected (dc coupled) in series,
between an EED and the source of firing power, without incorporating a physical circuit break requires
careful consideration. Where included the physical break should be positioned as close as possible to the
EED and its closure delayed for as long as operational requirements will permit.
D.2.3 Firing Circuits Without Physical Breaks
D.2.3.1 The requirements of STANAG 4187 [30] and STANAG 4368 [31] shall be observed for warhead
safety and arming units (SAUs) and rocket motor initiation devices (RMIs) respectively. For other circuits
containing EEDs without a physical break, a safety case demonstrating a high level of integrity and freedom
from single point failures shall be provided. Where SAUs and RMIs are used without a physical break, they
should employ alternating current (ac) coupled via a transformer. One of the semiconductor switches in the
40
primary circuit should be a dynamic switch such that any failure mode will prevent firing. The safety of such
an electronic system is seen to be dependent on the configuration of the circuit as well as on the reliability of
components. An example of an in-line electronic safety and arming unit (ESAU) in a fuzing system is shown
in
D Firing Signal
+V SS1
Triggered
S1
Spark Gap
DS
Logic Devices In-line
S2 HV EED
C R R
-V T
SS2
S1 - First Environmental/Event Sensor T - Transformer

S2 - Second Environmental/Event Sensor D Diode/Rectifier
SS1 - First Static Switch C - Firing Capacitor
SS2 - Second Static Switch R - Parallel Discharge Resistor
DS - Dynamic Switch
Error! Reference source not found.Figure D 2 Motor Safety Ignition Units (MSIU) will use a similar circuit but
will many will use event rather than environmental sensors as control inputs.
D.2.3.2 Detonators or igniters used in in-line applications must use approved and qualified insensitive
explosive compositions consequently they require a high voltage capacitor discharge to cause functioning.
STANAGs 4187 [30] and 4368 [31] require that electrical initiators used in non-interrupted explosive trains
shall meet the requirements of the following 2 sub-paragraphs. Whilst the reasoning behind the requirements
may not be applicable to all systems there are sound reasons for limiting the sensitiveness of such
components.
D.2.3.2.1 Not be capable of being initiated by any electrical potential of less than 500 V applied directly to
the initiator.
NOTE The tests required for characterization of in-line initiators are included in Part 2 of this standard.
D.2.3.2.2 Not be capable of being initiated by an electrical potential of less than 500 V when applied to
any accessible part of the fuzing/initiating system during and after installation into the munition or any
munition subsystem.
D.2.3.3 Sufficiently high voltages are readily generated from the low voltage dc sources available in
munitions by means of a dc-to-dc converter. Such converters comprise an oscillating inverter, step-up
transformer and high voltage rectifier. An oscillating inverter requires a dynamic switch and ac coupling
which provide the fail-safe safety feature.
D.2.3.4 A dynamic switch is used in conjunction with one, or more, static switches (i.e. on or off). Dynamic
and static switches are connected in series so that the arming can be effected progressively, in the correct
sequence and time scale, in response to valid sensor signals. Fuzing systems shall include at least two
independent safety features, the operation of which are, functionally isolated from other processes within the
munition system and each of which shall prevent unintentional arming of the system. At least one of the
independent safety features shall prevent arming after launch or deployment until the specified safe
separation distance or equivalent delay has been achieved.
D.2.3.5 The driving waveform for a dynamic semiconductor switch must be such that the switch cannot be
successfully driven by other waveforms that may be inadvertently applied following faults within the
munition/weapon system. The concept of a dynamic switch ensures a fail-safe design. However, for obvious
safety reasons, it must not be possible to stimulate the driving waveform by, for example, spurious
oscillations arising from amplifier/feedback/gain characteristics, or conducted or radiated EMI.
41
D.2.3.6 An ESAU/MSIU is considered 'Armed' when the Firing Capacitor Energy (FCE) is capable of
functioning the initiator with the probability of 0.005 at the 95% single sided lower level of confidence. The
firing capacitor of an ESAU should be provided with a duplicated discharge path to ensure it is kept in a
discharged condition at all times until the charging circuit is enabled by valid arming signals. Two resistors
connected in parallel should ensure the maintenance of a discharge path should one resistor fail open-
circuited.
D.2.4 Microprocessors
Any microprocessor selected for use in critical applications, should have a history of reliable and correct
operation and adequate software support. Its instruction set should encourage good programming practice,
be free of side effects and be unambiguous.
D.2.5 Complex Programmable Logic Devices and Application Specific Integrated Circuits
D.2.5.1 A variety of complex logic devices are now being used in many applications including munition
firing and safety interlock systems. Such devices include Field Programmable Gate Arrays (FPGAs),
Complex Programmable Logic Devices (CPLD) and Application Specific Integrated Circuits (ASIC). The
function and safety of such devices depends as much on the software based design process used to
establish the customising of the device as on the hardware. The following recommendations are intended to
assist the safe use of ASIC/CPLD in munitions. For the remainder of this section the term CPLD is taken to
encompass FPGAs, ASICs and other complex electronic devices.
D.2.5.1.1 It is strongly recommended that the design of CPLD for safety critical applications be carried out
using a well established and supported Hardware Description Language (HDL) such as VHDL. In addition
the use of formal methods should ensure an CPLD design conforms to its specification and is therefore less
likely to contain systematic faults.
D.2.5.1.2 CPLD should not incorporate unnecessary gates or functions. Unnecessary gates and
functions may result in spurious outputs. Where unused or normally non-operational gates remain on a
proprietary device they should be appropriately disabled and terminated, according to the device
manufacturers latest specifications and notes.
D.2.5.1.3 CPLD power circuits should be isolated from signal or logic lines to the maximum extent
practicable through circuit design and pin selection. Power to the system should be suitably partitioned from
platform and other power and be applied as late in the launch sequence/operational deployment as possible.
D.2.5.1.4 Multiple pin earth/ground connections are recommended to minimise probability of loss of
connection to the earth/ground plane. Disconnection of the earth/ground plane could result in change of state
of safety critical outputs.
D.2.5.1.5 CPLD used for safety critical functions should be designed and selected to enable full function
testing and be subjected to dynamic burn-in. Full function testing should ensure that the CPLD behaves in a
predictable and safe manner. Dynamic burn-in should eliminate early failures.
D.2.5.1.6 Multiple safety related functions implemented on a single CPLD shall not be considered to be
independent. Although it is possible to isolate separate functions logically (e.g. by using separate pins and
clocks) and to a certain extent electrically (e.g. by using separate power supplies and guard rings) there is
still a possibility that a fault in a shared package could compromise both functions in an unpredictable way.
D.2.5.1.7 A safety related system shall not utilise the same technology device to provide independent
functions because of the risk of common failure modes. Where practicable, at least one safety break should
be implemented with discrete components.
D.2.5.1.8 Safety related firmware should not be alterable or erasable, by any credible environment
encountered in the life cycle of the munition. It shall not be possible to alter or update safety related firmware
without the use of special tools/voltage levels which are not available to normal users. In general such
changes should require the system to be returned to the Design Organisation.
D.2.5.1.9 All logic implementation should replicate the documented design. This requirement is to ensure
the intended design (Logic Device schematics, software code, etc.) is actually what is in hardware/software.
For example; in VHDL, if the design has a binary state machine, the hardware does not have a one-shot
42
state machine, which is functionally equivalent but physically different. The documentation to be provided
shall describe all the functionality embedded in the CPLD and not just the safety related functions. The
documentation shall cover the complete logic flow with all inputs, outputs and timings.
D.2.5.1.10 Any safety related clocks should have a method of verification. The preferred method would be
independent clocks with verification of the safety related clock or one clock compared with a known timed
event such as a capacitor discharge.
D.2.5.1.11 The choice of CPLD should take full account of the following and the relevant parts in Clause
D.3:
a) The device should be the least complex required for the task.
b) The device should be mature and well supported by mature toolsets.
c) The choice of technology should take account of the life required, its ability to hold program/charge over
that life and its susceptibility to cosmic radiation, X rays and EMC effects. The gate size of the device
selected should not be less than approximately 45 nm to reduce the risk of single event upset, other
disturbances and avoid issues related to tolerances of on to off voltage thresholds.
d) The need to check at switch on that the program is not corrupted.
e) The need to ensure that spurious outputs are not possible during initialisation
f) Re-configurable devices (including those programmed during power up) should not be used for safety
related functions.
D.3 Microprocessor Hardware Design Techniques
D.3.1 The design of microprocessor-controlled firing systems should be kept as simple as possible in
order to enhance confidence in the assessment of safety and suitability for service. Simplicity of design is
also a considerable aid to the achievement of reliability.
D.3.2 The following techniques are considered to represent good practice and should be employed in the
design of microprocessor-controlled safety-related weapon systems:
D.3.2.1 Read-Only Memory (ROM). All programs should be held in ROM. All microprocessor systems must
have some program in ROM (if only to allow other programs to be loaded after switch on), and as the
processor is to perform a dedicated task, there is no reason for not keeping the whole of the application
program in ROM. The alternative is to load the program into Random Access Memory (RAM) but as RAM is
more susceptible than ROM to soft errors (bit values changing in memory) this would lead to a degradation
in the reliability and possibly safety of the system.
D.3.2.2 Random Access Memory (RAM). The use of dynamic RAM should be avoided because it is more
susceptible to soft errors than is static RAM. Static RAM also has the advantage of not requiring refresh
logic. If a large amount of data is required, such that static RAM is impractical, then a synchronous refresh
controller should be used. That is, the processor should announce when a refresh cycle can occur. This
avoids the use of complex asynchronous refresh controller chips some of which are more complex than the
Central Processor Unit (CPU), and many of which have been shown to have design faults.
D.3.2.3 Error Detection and Correction Techniques. Both static and dynamic RAM can suffer from soft
errors due to faulty write cycle timing or alpha particles. A parity checker will detect most of these errors. The
result of detecting an error should be to force the processor to a safe state; only in exceptional
circumstances should the processor be allowed to restart itself. In theory, the ROM could be checked as
well as the RAM, but as soft errors in ROM are far less likely than in RAM this may be considered
unnecessary if the contents of ROM are checked at switch on by a sum-check test.
D.3.2.4 Clock Frequency. It is recommended that the clock frequency be reduced to the lowest frequency
consistent with performance requirements. The manufacturers recommended clock frequency is determined
as the highest frequency at which the internal logic of the CPU can be guaranteed to operate correctly. The
frequency chosen is based on a number of assumptions about the operating environment, many of which
43
may be untrue for weapons systems. The processor will therefore operate more reliably if the clock
frequency is reduced, increasing the settling time for the internal logic and improving the margin for
fluctuations in timing caused by the temperature variations, etc. It should however be noted that some
processors have specified minimum clock frequencies, as the internal logic is dynamic. These dynamic
devices should be avoided in favour of static ones, i.e. processors that will operate correctly at very low
frequency.
D.3.2.5 Pipeline. An instruction pipeline is a technique used in the design of microprocessors and other
digital electronic devices to increase their performance. Pipelining reduces cycle time of a processor and
hence increases instruction throughput, the number of instructions that can be executed in a unit of time.
However, despite this benefit, it is worth noting that pipelining does not help in all cases. When a
programmer (or compiler) writes assembly code, they make the assumption that each instruction is executed
before execution of the subsequent instruction is begun. This assumption is invalidated by pipelining. This
can cause a program to behave incorrectly, and cause a hazard. Various techniques for resolving hazards
such as forwarding and stalling exist.
D.3.2.6 Interrupts. Interrupts should be avoided as they make validation of the software extremely difficult,
if not impossible. If the effect of an interrupt is required, the software examining an appropriate hardware
signal and calling the required procedure if the signal is set can achieve it. Since interrupts can now only
occur at fixed positions in the program, validation is possible.
D.3.2.7 Switching Transients. The operation of a microprocessor is undefined whilst the power supply is in
the transitional state of being switched on or off. In both cases therefore protection should be provided to
prevent spurious signals from the microprocessor affecting an EED firing system.
D.3.2.8 Choice of Technology. The selected technology should be a mature one as recommended in
Clause D.2.4. The effects of the environment on the processor technology should also be considered. In
many cases, low power consumption, tolerance to power supply fluctuations and high noise immunity (to
reduce the effects of EMI) are likely to be important. Complementary Metal Oxide Semiconductor (CMOS) is
a technology with all those properties (or Silicon On Sapphire (SOS), if nuclear hardness is also required).
Note however that some CMOS technologies suffer from latch-up, a reaction to abnormal power supply
fluctuations, which usually destroys the chip, so care must be taken to select a latch-up resistant CMOS
family. Other technologies may provide equally good characteristics.
D.4 Microprocessor Self-test Software Design Techniques
D.4.1 General
D.4.1.1 The software techniques outlined below are specific to the application of self-test routines in
microprocessor systems. Techniques concerned with the design, validation, testing and certification of
software in general are detailed in Annex E.
D.4.1.2 When the microprocessor system is turned on, the first act of the software should be to determine,
as far as possible, whether or not the hardware is working. Specifically, the ROM should be sum-checked to
look for any bits that have dropped out whilst the system has been dormant and read-write tests performed
on the RAM, that is testing that all bits can be written and read as 0, then as 1, followed preferably by some
form of pseudo-random or walking-bit test. If similar tests can be performed on other parts of the hardware,
such as peripheral interfaces, those should also be made. The effect of failing these checks should be to
force the processor into a safe state, as is done on detection of parity faults.
D.4.1.3 Where possible, the software should try to confirm the value of any data being provided by sensors.
For example, if the parameter being sensed is known to vary slowly, the software should read a number of
values in quick succession and take the average. Similarly, if the parameter to be read is known to lie in
some particular range, actual sensed values should be checked to ensure that they lie in that range. This is
also true if the values being read are part of a sequence, for example in shaft encoding, the read value
should be compared with the valid next members of the sequence (see Clause D.5).
D.4.2 Fault conditions
D.4.2.1 Any processor will, under certain fault conditions, run wild, effectively writing random data in
random locations. It is important therefore that the initiation of a safety related event (such as arming or
44
firing) does not rely upon the writing of one data pattern to some location, or locations, as this may occur
erroneously under fault conditions. A scheme, giving an acceptable probability of error, would be to require
consecutive writes of specified values to specified locations. This sequence should not be achieved solely by
execution of a procedure without data dependencies, as some faults may cause random pieces of ROM
code to be executed correctly, i.e. force illegal jumps.
D.4.2.2 It is unlikely that any microprocessor-based system intended for safety-related applications will
have the total amount of memory the processor can support. Thus for a 16-bit address machines, it is
unlikely that all 64K of memory will physically exist. The memory map of the system will therefore have
illegal regions that do not correspond to any physical memory devices. Should the processor attempt to
access such a region, both due to a hardware failure or an incorrect program, this event should be detected
and the processor forced into a safe state. The address decoding logic should not only provide the device
selects for the various RAM and ROM devices in the system, but should also look for accesses to the illegal
regions. The practice of incomplete decoding, that is allowing the same memory device to be accessed at
two (or more) sets of addresses, should not be allowed in safety-related systems as it makes program
validation extremely difficult.
D.4.2.3 It is likely that any ROM in the system will have some unused locations. These should be
programmed with HALT instructions or their equivalent, so that, should the processor mistakenly access
them, it stops or performs some other suitable fail-safe action.
D.4.3 Watch-dog Timers
The use of a watch-dog timer is recommended. The software of the system should be required to access the
watch-dog timer at regular intervals. If the timer is not accessed after the specified interval, the processor
should be forced into a safe state, on the assumption that the software is not operating correctly.
D.5 Interfaces
D.5.1 All input and output connections should be filtered to the lowest possible frequency consistent with
the bandwidth of the signals being processed. Consideration should be given to the use of optoelectronic
techniques at all interfaces to minimise the effects of
D.5.2 Where a processor system is receiving data from a sensor (or another processor system) the
interface should be designed such that some form of error check is available on data passed across the
interface. This would be in addition to the software attempting to verify the correctness of the data from some
knowledge of the physics of the information being sensed. For example, byte/words of multiple word
messages between processors should also include a checksum on the message. For sensing shaft rotation,
or similar events, a Gray coding or similar technique should be used.
D.6 Remote Control Circuits
D.6.1 Where the initiation of EED by remote control is required and effected either by a hardwire link, an
optoelectronic link, or a radio link, the principles and recommendations of Annex C remain valid. In these
cases the complete system is to be considered, including the operator controls, the transmitting and
receiving circuits and the safety breaks immediately associated with the EED. The necessity to avoid single
failure modes in the operator controlled and transmitting circuits therefore still applies.
D.6.2 Where the firing of the EED is dependent on the sending and receiving of a digital signal, suitable
measures should be taken to ensure that it is not possible to initiate the EED due to a single failure effect
(e.g. a single bit error in the coding, transmission or de-coding of the signal). Techniques such as error
correction, requesting confirmation of the command, and requiring two or more different but specified
messages to be sent and received should be implemented. These should be applied even where the remote
controlled circuits are hardware only. In many applications more than one of these techniques can be simply
achieved and should be employed. Where radio controlled links are used, consideration must be given to the
possibility of signal intercept and spoofing. Also, where multiple sets of transmitters and receivers may be
deployed in a given area, a means of ensuring only the correct transmitter can operate a given receiver and
that this receiver remains in a safe state until deliberately armed must be implemented. In these
circumstances unique randomly generated codes related only to particular transmitter/receiver pairs together
with a removable key in the transmitter should be considered.
45
D.7 Intrinsic Safety Assessment
D.7.1 Except where the system being assessed contains only very simple electronic circuits, with a very
limited number of semiconductor elements, detailed theoretical analysis of the system is presently judged to
be impractical. For this reason assessment of electronically controlled EED firing circuits will be largely
dependent upon evidence from FTA and FMEA/FMECA in sub-assemblies and upon tests and trials.
D.7.2 Evidence will be required which demonstrates that a design satisfies the design principles at
Annex A Serial Nos 1 and 2 as appropriate. The evidence should be presented in the form of a FTA and
FMEA, carried out to at least a three (or four) independent system-fault level. Full account should be taken of
the various operational phases involved, including periods of dormancy during storage and of the effects
which extremes of the specified climatic and mechanical environments may have on failure modes and
failure rates. Depending upon the application it may be necessary to carry out FTA and FMEA in the
powered and un-powered condition.
D.7.3 The task of FTA and FMEA will be facilitated if the design recommendations with respect to the
choice of a mature technology and a stringent component screening process are observed.
D.7.4 Favourable results of FTA and FMEA are not necessarily conclusive because failure modes may be
overlooked and event probabilities may be uncertain. It is therefore strongly recommended that a test
programme be instituted at the outset of a project that is designed to accumulate practical evidence in
support of the safety and suitability for service assessment. An ideal test programme would include data
from on-receipt inspection and test at component, board, sub-system and system levels and would be
applied to all stages of design, development and pre-production. Further confidence can be gained by
subjecting all safety critical functions to 100% production acceptance testing. All such evidence should relate
to the in-service build standard.
46
Annex E
Design Requirements and Analysis of Safety Related Software
E.1 Introduction
E.1.1 There is a wide and growing range of systems whose safety depends, in part or in full, on the
correct functioning of computers and the programs that run in them. Examples may be found in both the civil
and military fields.
E.1.2 Redundant components or sub-systems are frequently used to increase either the safety or
reliability of systems where random failures or errors are considered to present a problem. Redundancy,
however, does not account for the possibility of systematic errors arising from the design process. If software
is involved, the parallel replication of identical modules will guard against, for example, the corruption of
programs held in memory by a number of hardware failure modes but not against the existence of software
errors. The dissimilar programming of parallel modules to the same specification is expensive but still fails to
account for errors in the specification.
E.1.3 The Design Organisation for the overall weapon system shall define requirements for the software
system. There shall be a hazard analysis and safety assessment in accordance with Def Stan 00-56 [15] to
identify, evaluate and record the hazards on new systems and systems undergoing modification. Where
software has been assessed as Safety Related Software (SRS) the design and implementation of the
software shall reflect the need for independent assessment using methods discussed below. The following
principles are directed towards the production of safe software and are covered fully in Allied Ordnance
Publication (AOP) 52 [10]. In addition the MOD Acquisition Operating Framework contains reference
material for project teams related to software safety. AOP 52 has a full description of the processes and
procedures required for safety related software. The remaining sections of this annex discuss some of the
principle functions required but are considerably less comprehensive than the AOP.
E.1.4 This Annex is relevant to a software system that may initiate a fuzing, arming or firing sequence in
response to sensed and pre-set inputs. In particular it applies to software that controls firing circuits of EED,
except where it can be shown that the intrinsic safety of the system is vested in hardware and that the
software is not therefore safety related. It is also relevant to any other software that may be deemed safety
related; for example, software responsible for stores management, mode selection, weapon movement,
weapon release and weapon danger areas.
E.2 Software Development

Software development should link with the overall Project Management Plan (PMP) and the System
Engineering Management Plan (SEMP) to tie in the software development milestones with system
development. The software development processes used should follow a mature development model for
example the well-known V-model (Figure E.1).
47
Figure E.1 V Model Lifecycle
E.3 Software Requirement Specification
E.3.1 A System Defining Specification (SDS) software requirement should be produced and should be
verified by the Design Organisation to ensure that it is self-consistent and unambiguous. The Requirements
contained in the System Requirements Document (SRD) should be analysed to produce functional
statements. This analysis and subsequent decomposition should also identify the functionality split between
software and hardware. The SDS will contain these functional statements divided in to separate sections for
software and hardware sub-divisions (electronic, mechanical, etc). This document will not hold any material
pertaining to design.
E.3.2 The functional statements shall be such that a System/Acceptance test can be later defined based
on these statements. The requirement shall contain sufficient information to enable a software safety case to
be produced. A hazard analysis should be carried out on the functional statements to assess whether the
software will be safety related and determine how much rigour in the design process will be required to argue
that it is safe
E.3.3 A Software Requirement Specification (SRS) shall be produced, stating in a formal notation the
response of the system to data input. A progressive refinement of the requirements of the software from
system to module to procedure level shall be documented in the software specification, software design and
code. All safety functions and safety properties shall be explicitly identified. The possibility of failed sensors,
dangerous pre-sets and memory corruption shall all be covered. The use of uniquely coded outputs shall
arise only from a unique sequence of inputs and should have minimum correlation with all other codes in the
system.
E.3.4 A verification and validation (V&V) team should validate the software specification and design.
Attention shall be directed towards resolving ambiguity and ensuring consistency and completeness.
E.3.5 The Systems Requirements Document should be imported into a database such as DOORS. The
other documents residing in DOORS should be:
a) System Requirement Specification

b) Sub-System Requirement Specification
c) Software Architecture Specification
d) Acceptance Test Specification
e) Software Integration Test Specification
48
E.4 Verification and Validation (V&V) Team

A verification and validation (V&V) team is to be appointed to carry out or undertake a review of all the steps
throughout the development process. The team should be independent of the design team and should
produce a V&V plan.
E.5 Fidelity Of Specifications

The Design Organisation shall demonstrate conformity between adjacent levels of specification, so that
satisfaction of the specifications for each module implies satisfaction of the overall software requirement
specification. This should be done early and can be done in an iterative manner. For software requiring high
safety integrity the use of formal techniques for this process should be considered.
E.6 Choice Of Software Support And Quality Of Software
E.6.1 A structured high-level language shall be used. The language shall be strongly typed and block
structured and shall possess formally defined syntax and predictable program execution. Assembly or other
low-level languages should not be used for safety related functions. The permissible exception to the
production of the SRS in a high-level language should be the use of assembler language for small sections
of code in the following circumstances:
a) Sections of the software where close interaction with hardware is required that cannot easily be
accommodated with a high level language
b) Sections of the software performance constraints can not be met by a high level language
c) Very small applications where the use of a high level language, compilation system and more
powerful processor would increase, rather than reduce, safety risk.
E.6.2 Each use of assembly language within the SRS shall be agreed with the Design Organisation and
the MOD PT representative. It shall also be justified in the Software Safety Case.
E.6.3 The software shall be written with regard to the subsequent need for proving safety. The use of
partitioning will assist in this approach. Unsafe features of the chosen programming language shall not be
used.
E.6.4 Each module and each procedure shall have a unique start and unique end. Every loop shall have a
unique entrance, though the use of loops shall be minimised. Loop terminations shall be guaranteed by the
use of predetermined constant bounds. There shall be no computed jumps, no interrupts, no aliasing, no
recursion and no procedures as parameters to other procedures unless correct operation can be
demonstrated.
E.6.5 Defensive programming techniques shall be used to avoid the processing of illegal data, including
that received from failed sensors and dangerous pre-sets. Safety assertions shall be planted in the source
text and used operationally. Failure to satisfy an assertion shall cause the program to fail-safe. Defensive
modules/instructions should be clearly identified and documented to avoid unintended removal by future
software modifications.
E.6.6 A software quality plan to meet the requirements of BS EN ISO/IEC 90003:2004 Ref [12] at a
minimum shall be produced.
E.7 Configuration Control

A formal configuration control system to meet the requirements of Def Stan 05-57 [18] (except that
Engineering Changes shall not be used) shall be established. Control shall be exercised to guarantee that
the version of software loaded in the target processor is the same as the version certified. Monolithic
compilation of the software is recommended.
49
E.8 Documentation
E.8.1 Software documentation to meet the following requirements should be produced:
a) Software Safety Plan.
b) Software Safety Case.
c) Software Safety Record Log.
d) Software Safety Audit Plan.
e) Software Audit Reports.
f) Software Quality Plan.
g) Software Development Plan.
h) Software Risk Management Plan
i) Software Verification and Validation Plan.
j) Software Configuration Management Plan and Record.
k) Code of Practice.
l) Software Specification & Record.
m) Software Design & Record.
n) Design Record.
o) Code.
p) Test Schedule, Record and Report.
q) Acceptance Test Record and Report.
r) User Manuals and Maintenance Plan.
E.8.2 The Design Organisation may decide, in conjunction with the MOD representative, that the
information would be better presented using a different document set. For example a number of documents
may be incorporated into a single document, provided that there is an easy traceability between these
requirements and their incorporation into the actual document set. All documentation shall conform to an
agreed interpretation of JSP 188 [25]. Where mathematical notation is required, predicate calculus is
recommended.
E.9 Extent of Analysis
E.9.1 The implementation of Def Stan 00-56 [15] should identify, evaluate and record any hazard to or
from the munition, or weapon system, in order to determine the maximum tolerable risk. This activity will
provide the safety criteria to arrive at an acceptable balance between the reduction of the risk to safety and
the cost of that risk reduction.
E.9.2 There is clear distinction between random failure and systematic failure. Random failure is due to
physical change and there are a number of effective techniques for predicting failure rates to a reasonable
degree of accuracy. Systematic failure is caused by errors in the specification or design of the system, for
example, because software does not wear out and will always perform in the way in which it has been
designed all software failures are systematic.
50
E.9.3 It may be impossible, for reasons of cost or time, to analyse all software comprising a given system.
The hazard analysis process should therefore identify, at a high level of design, the essential safety-related
features of the system.
E.9.4 The goal-based approach to safety assurance required by Def Stan 00-56 Ref [15] means more
scope for the Contractor to exercise flexibility in approach, therefore more emphasis is needed on
independent scrutiny and assessment. Evidence should be provided of independent verification and
assessment of evidence, arguments and safety claims
E.9.5 Evidence of scrutiny includes audit reports, corrective action etc. as well as quality assurance and
verification and validation documentation such as peer review. The quality of the safety management, and
the recognition (by acknowledged expert bodies) of methodologies employed in order that it can be
concluded that the risk of failure has been reduced so far as reasonably practicable. The software analysis
and test aspects can then concentrate on these aspects.
E.9.6 The rigour of the evidence and the extent and coverage of evidence should be proportional to the
impact on the hazard. For complex electronic systems, the evidence required for assurance is likely to be
detailed and extensive. Therefore, the effort required for adequate scrutiny of evidence is also likely to be
significant.
E.9.7 Identifying safety integrity requirements establishes the degree of confidence needed in the
evidence against failure. This then allows the quality of the safety management procedures and the range
and type of evidence which are required to provide that confidence to be defined and agreed. The software
analysis and test aspect can then concentrate on providing relevant parts of the evidence.
E.9.8 A number of standards use safety integrity schemes to allocate an Integrity Level to certain
functions. These are often referred to as Safety Integrity Levels (SILs) or Design Assurance Levels (DALs).
This can work extremely well and it has the advantage of providing an authoritative definition of good
practice. The PT and Contractor may agree to adopt a scheme such as this in order to define safety integrity
requirements but they must be aware that it is more prescriptive and therefore less flexible than the goal-
based approach identified in Def Stan 00-56 Ref [15]. Any requirements that are incomplete, inconsistent or
require further interpretation should be resolved prior to commencement of the software design process. The
level of integrity agreed upon will reflect the severity of the hazard being mitigated and therefore the
robustness of the evidence required.
E.10 Verification, Validation and Test (VV&T)
E.10.1 Verification, Validation and Test is a process that forms the basis of the more detailed plans and
procedures that cover the project lifecycle.
E.10.2 Software Verification examines the products of each development activity (or increment of the
activity) to determine if the software development outputs meet the requirements established at the
beginning of the activity. The scope of each software development activity is defined by this document. This
concept should be applied to each iteration of an activity.
E.10.3 Software Validation confirms that the software is a correct implementation of the system
requirements for which the software is responsible. It is conducted concurrently with, and at the end of, all
software development activities.
E.10.4 Software Test ensures that the software product is what is required. Methods should include white
and black box, statement, branch and path coverage testing. The way of implementing these activities with
regard to a project shall be via Review, particularly Peer Review. These activities shall include:
E.10.4.1 Software Requirements V&V includes the tracing of requirements from the System level
through the software level and checking for completeness, consistency and precision. Each requirements
document should also state the requirements in a way that may be confirmed by testing.
E.10.4.2 Software Design V&V confirms that the design implements the requirements correctly,
consistently, completely and accurately. The design description should be worded in such a way that each
feature is testable.
51
E.10.4.3 Code V&V confirms that the code implements the design with completeness, consistency and
precision. The code itself must be correct and consistent both within itself and with the coding standard. It
must also be structured in a way such that the design features are testable.
E.10.4.4 Test V&V ensures that the test procedures test the requirements or features as detailed in the
appropriate requirement or design document. Test results shall be analysed to determine that the subject of
the test meets both normal and abnormal operations. Tests should be carried out at unit, integration of
Software Configuration Items (SCI), and system integration:
E.10.4.4.1 The aim of Unit Testing is to check the functionality of the Unit against its design. A test
harness shall be used to simulate the inputs to the unit and monitor/report the outputs of the Unit. The
harness shall be designed to perform a Black Box test of the functionality provided by the Unit. It shall also
perform White Box testing, using an appropriate number of test cases to achieve 100% Statement and
Branch coverage, it shall also perform Boundary checks on all input data, array indices, etc. and shall test
any exception handling performed by the Unit.
E.10.4.4.2 The aim of Integration Testing is to progressively integrate together the software Units in
functionally related groups until the whole is integrated. At each stage of integration a Test Harness
(including any Test Stubs required) shall be used to simulate the inputs of the group and monitor/record the
outputs of the group. The harness shall be designed to exercise the interfaces between the Units and to
verify the combined functionality of the group.
E.10.4.4.3 The aim of System Integration Testing is to verify that the software can interface with and
execute upon the target hardware. In the initial stages of system integration this is usually tested using
equipment simulators to exercise the hardware external to the system in which the software is integrated.
The test procedure shall be designed to exercise each hardware/software interface including the input of
maximum and minimum values, and all outputs to the hardware. The tests shall then exercise the system
functionality including hardware responses.
E.10.4.5 The boundaries between the stages are not fixed in that the aims of Unit Testing may be better
achieved by testing two or three units integrated together, or a number of integrated units may be tested on
the target hardware in order to mitigate risks early. The strategy for the testing and integration of the
software from Unit to System level shall be defined in the Test Plan for the system.
E.10.4.6 Document Verification and Validation ensures that, in addition to the above points, the
documents are complete, consistent and adhere to any procedures controlling their contents, distribution and
version.
E.10.4.7 Checking, testing and verification of the software design, design process, source and object
code shall be conducted to reflect the level of confidence required to demonstrate the safety of the system.
This should include such methods as static analysis and formal arguments. The static analysis and formal
verification shall either be performed or reviewed by a V&V team who shall be independent of the design
team.
E.10.5 Stored constants, including pre-set data, which influence safety, shall be identified, and if
calculated off-line, consideration shall be given to the correctness of the programs that produced them.
52
Annex F
Design Recommendations for Test Equipment
F.1 Introduction
F.1.1 The majority of test equipments for the testing of weapon systems are portable, however, the
requirements are equally applicable to Special Purpose, Automatic Test Systems (ATS) or Built-in Test
Equipment (BITE), and can be considered to fall into 2 categories, depending on their application:
F.1.1.1 Equipment used to perform electrical checks on EED and their firing circuits, such as EED
resistance measurements, firing line continuity and isolation measurements, and the detection of spurious
voltages on firing lines (i.e. no-volt checks).
F.1.1.2 Other weapon electrical test equipment intended for performance tests on All Up Rounds (AUR),
or sub-assemblies, for example guidance functions, within a weapon system.
F.1.2 Equipment intended for testing EED, and firing circuits fitted with live EED, should be designed to
satisfy the Principles of Design in the main body of this standard.
F.1.3 The design recommendations given in this Annex should be supplemented as required by the
relevant recommendations given in Annex D with respect to electronics and microprocessors and in
Annex E with respect to associated software.
F.1.4 Electrical test equipment intended for use in buildings containing explosives must comply with the
conditions defined in JSP 482, Chap 8 [28].
F.1.5 Many new weapon systems and their associated test equipment are being procured as off-the-
shelf AUR without the benefit of MOD oversight/specification during their development. The assessment
and acceptability of off the shelf equipment will be based on these design safety principles and requirements.
F.2 Electrical Testing Of Firing Circuits
F.2.1 Electrical testing of firing lines fitted with live EED should not be standard practice except in well
controlled conditions in a suitable test facility. Where they are required they shall be carried out with great
care to ensure that the no-fire threshold of the EED, with adequate safety margin, is not exceeded either by
the power supplied by the test equipment or by unacceptable degradation of the RF shielding of the weapon
system (which may occur during testing). The test circuit is to meet the requirements of Def Stan 07-85 [19]
sections 15.3 and 15.7. These assume that the EED under test has a No-Fire Threshold Power no lower
than 20 mW and a NFT Energy no lower than 1mJ as characterized in accordance with Part 2 of this Def
Stan. For testing of EED with a lower NFT, appropriate more stringent limits shall be used.
F.2.2 The testing (by operating) of safety switches using routine BITE should not be carried out since this
inevitably degrades the safety integrity of the circuit during the test. Circuit and component reliability should
be sufficiently high to meet the system reliability requirements without such routine testing.
F.2.3 Connectors fitted to firing circuits solely for test purposes should be dedicated to that function and
should be incapable of mating with other than the intended test equipment. Connection of the equipment to
the EED circuit should not degrade the inherent safety of the EED circuit nor introduce into the EED circuit
any hazardous levels of electrical signal from external sources or systems.
F.2.4 Specially designed General Purpose Test Equipment (GPTE) is available for the safe measurement
of resistance, continuity, isolation and levels of any spurious ac and dc voltages which may be induced in
firing circuits. These are suitable for most EED in current use. Such equipment should be specified for use
whenever possible. For new GPTE or test equipments dedicated to a specific weapon/project the
requirements of Def Stan 07-85 Ref [19] and those listed below shall be applied.
53
a) Connection to the circuit should be via dedicated connectors - contact probes should not be used.
b) Test facilities should be incorporated to confirm the integrity of the test equipment and connecting leads.
c) Portable equipment should be designed to withstand the climatic and dynamic environment relevant to
its intended use and derived from Def Stan 00-35 [14].
F.3 All-Up Round Electrical Test Equipment
F.3.1 An All-Up-Round (AUR) is a conventional weapon or munition with all its sub-assemblies fitted
(ancillaries such as lanyards, suspension points and control surfaces may not be attached). An AUR test can
be carried out on the munition when it is either on or off a launch platform. An AUR test can use either built-
in test (BIT) or external test equipment. For some systems tests are carried out on an explosive sub-
assembly in which a fault/failure could result in a hazardous event in the same way as an AUR. Testing of
such sub-assemblies shall be treated in the same way as for an AUR described below. There are two
scenarios in which AUR/hazardous sub-assembly testing may be carried out:
F.3.1.1 Remote Testing. Remote testing is defined as testing of an AUR where the personnel would not be
at risk of death or severe injury if a hazardous event occurred. (This is achieved by ensuring a separation
distance, or structural protection, between the AUR and any personnel engaged in the test process).
F.3.1.2 Alongside Testing. Alongside testing is defined, as testing of an AUR where any personnel
engaged in the test would be directly at risk of death or severe injury if a hazardous event occurred.
F.3.2 During testing, the safety of all personnel is paramount, and remote testing should be considered
the more favoured procedure. When the Design Organisation or Project Team (PT) wish to consider the
need for alongside testing greater effort will be required to demonstrate that the probability of a hazardous
event occurring, (including loss of operational capability and/or facilities), is ALARP and tolerable. The
argument must be included in the safety case report and must be accepted by the Project Safety Committee.
F.3.3 Electrical test equipment not directly associated with EED firing circuits, for example equipment
intended to check overall performance of a weapon system, may either be manually operated or under
automatic control. General requirements for all AUR test equipments are given below with specific additional
requirements for automatic test systems as shown in Clause F.4.
F.3.4 All associated risks to personnel and facilities are to be formally assessed and kept as low as
reasonably practicable (ALARP). The risks to be assessed are to include, but not be limited to, any of the
following occurring in the AUR or test equipment:
a) Full or partial initiation/ignition of an explosive component - including operation of power cartridges,

release mechanisms or blow-off devices
b) Fire or overheating.
c) Creation of a hazardous electrical or electrostatic charge or over current.
d) Release of high pressure or toxic gases/liquids, fuels or radioactivity.
e) Unintended emission of radio frequency or laser energy sources.
f) Interruption or fluctuation in power supplies.
g) Release of acoustic hazards (to AUR or personnel)
F.3.5 The test equipment must be designed to be more than one fault safe. For alongside testing the
overall system shall be at least 2 fault safe. This requires a minimum of two or (for alongside testing) three
independently controlled design safety features for each potentially hazardous event. No common cause
failures shall lead to a hazardous event. In addition, the overall design shall meet the minimum AUR test
safety requirement of less than a 1 in 106 probability of a hazardous event during each test. Favourable
results of FTA and FMEA are not necessarily conclusive because failure modes may be overlooked, and
event probabilities may be uncertain. It is strongly recommended therefore that in the case of electronic test
54
equipment a test programme be instituted at the outset of a project that is designed to accumulate practical
evidence in support of an assessment of safety and suitability for service. Such testing should include on-
receipt inspection and test at component level; testing at board, sub-system and system level; as well as
production acceptance testing. All such evidence should relate to the in-service build standard.
F.3.6 The integrity of each safety feature is to be maintained throughout all possible test configurations.
Safety should be by design and not dependent on procedures.
F.3.7 Initiators of any electrically armed Safe Arm Device (SAD) or Ignition Safety Device (ISD) are to be
isolated from all test voltages or other external stimulus. Wherever practical, assurance is to be provided that
any SAD or ISD is in a SAFE state before and after AUR testing takes place. The safe state of all SAD and
ISD used in the weapon is to be monitored throughout the test operation and if necessary automatic
shutdown shall be initiated.
F.3.8 Where test equipments are to be used in licensed explosive buildings the requirements of JSP 482
Ref [28] are to be met.
F.3.9 Weapon internal power sources (including thermal batteries, power cartridges and gas generators)
are to be isolated from any test voltage or other external stimulus.
F.3.10 Adequate current limiting devices are to be fitted which will prevent a dangerous rise in
temperature in the weapon under test in the event of an electrical fault developing, such as a short-circuit.
F.3.11 The EMC requirements of the test equipment shall be assessed for all locations in which it is to be
used. For front line use the relevant levels specified in Def Stan 59-411 [25] should be applied. Where its
use is confined to well controlled environments the requirements of JSP 482 Ref [28] will generally be
adequate.
F.3.12 Clear and unambiguous procedures should be specified for the use of all test equipments.
F.4 No-volt Testing
F.4.1 Operator safety requires that no-volt tests on firing circuits should be carried out prior to the
installation/fitting of an EED. When such testing is to be carried out on a circuit or platform in which EED are
already installed it is necessary to ensure that safety is not compromised. In such cases a voltage-detecting
instrument designed in accordance with Def Stan 07-85 Ref [19] should be used.
F.4.2 Any NVST should always be carried out directly prior to the connection of the EED or weapon/store.
Measurement should be made directly on the firing line termination to which an EED is to be connected.
Where relevant, such tests should be carried out with all associated electrical systems in a set condition
which shall not be changed after the NVST is carried out and before the EED/store is connected.
F.4.3 Following modification of any platform electrical circuits associated with the EED initiation system, it
may be considered appropriate to carry out a NVST test. This should be undertaken with all associated
electrical systems in the vehicle/platform powered but with the relevant firing circuit(s) unarmed.
F.4.4 Where an in-service NVST is required it will be necessary for a means of ensuring that the test
equipment has made proper contact with the firing circuit to be provided for in both the test equipment and
the firing circuit.
F.5 Radiography
The radiography of currently known EED and their firing lines is unlikely to induce enough energy to cause
direct initiation, and is therefore considered non-hazardous. However, consideration should be given to the
radiation and total dose effects on any electronic circuits in the system. In addition, the EMC effect of the
radiography equipment on the EED, their firing lines and associated circuits must be considered.
55
F.6 Automatic Test Systems for All-Up-Round Testing and Section Testing
F.6.1 A full definition of the requirements applicable to Automatic Test Systems used in licensed explosive
facilities in given in JSP 482 Chapter 8 Ref [28] Annex B. These requirements are to be met for all such
systems.
56
Annex G
Design Recommendations for Transport, Storage and Handling Systems
G.1 Introduction
G.1.1 During transport, storage and handling operations, weapons employing EED firing circuits and
associated electronics will normally be in the unpowered condition. If the safety interlocks have been
designed to meet the safety principles set out in this standard the EEDs and associated electronics will only
be at risk from externally imposed environments. Electrically these are RF radiation, magnetic fields, ESD,
EMP, and lightning.
G.1.2 Munitions and weapons systems which have been assessed as safe and suitable for service in the
Minimum Service RF Environment (MSRFE) as specified in Annex H may be considered immune from all
sources of RF radiation (not including lightning, ESD or EMP) likely to be encountered during storage and
transport without need of additional EM protection. However, many systems are not cleared to the MSRFE or
may be susceptible in some conditions (e.g. unpacked, loaded to an aircraft or launcher, under
test/assembly).
G.1.3 Depending upon the susceptibility of the system containing the EED, the minimum safety distance
that should be maintained between the system and radio and radar transmitters, can be assessed in
accordance with Part 3 Annex C. The susceptibility and/or safe distances, determined for all weapons
systems are given in DAP110A-0102-1D [13], BR 2924 [11] and Ammunition and Explosives Regulations
(Land Services, Volumes I and II) [1]. In addition JSP 482 [28] Chapter 24 provides guidance on RADHAZ
safe distance assessments for explosive licensed buildings/sites
G.1.4 When weapons systems containing EEDs are undergoing test, assembly, disassembly or packing
they should be handled in an appropriate electrostatically controlled environment. The regulations for this are
shown in JSP 482 [28] Chapter 8.
G.1.5 Buildings in which weapons/stores are stored, handled, tested and assembled should be fully
protected against lightning strike in accordance with the recommendations given in JSP 482 [28].The
movement of munitions containing EED, outside buildings under lightning risk conditions, is covered by
individual Service regulations and system handbooks.
G.2 Transport And Storage
G.2.1 Packaging of Bare EED
G.2.1.1 To minimise the EMR and EMP susceptibility of EED which are being transported or stored as
bare items (i.e. not installed in a weapon or sub-assembly) their leads should be held together i.e. strip line
or twisted, along their entire length, as tightly as possible without risking damage to the EED terminations.
The individual ends of the EED leads may both be bared and twisted together or insulated from each other
depending on Service requirements. Where a number of EED are packaged together, electrical inter-
connections should be prevented, for example by the fitting of insulating sleeves over the bared ends.
G.2.1.2 Some EED have single strand leads that are sufficiently stiff to preclude twisting. Such an EED
should have its leads restrained to avoid separation.
G.2.1.3 EED should be packaged in accordance with Def Stan 00-88 [16] and, where appropriate, be
completely enclosed in metallic foil or within an EMR resistant container for storage and transport. The EED
and their leads should be electrically isolated from the packaging. EED should only be packed and unpacked
in specified locations using approved safety procedures.
57
G.2.2 Installed EED and Associated Electronics
EED installed in weapon systems should be tested/assessed to ensure they are not at risk from inadvertent
initiation due to the external electromagnetic environment. Provided that EED firing systems are designed in
accordance with the recommendations given in Annex B, they should be immune to the effects of EMI.
However, for some systems this immunity may require some shielding to be provided y the packaging. As a
further safeguard during transport and storage of assemblies and weapons, any umbilical or fixed firing
circuit connector should be fitted with protective metal caps in order to protect firing circuits from ESD and to
maintain effective shielding against EMR and EMP.
G.2.3 Transport and Storage Containers
G.2.3.1 Weapon systems designed to operate in defined EM environment should normally ensure full EM
protection without reliance on the packaging to provide screening (except for direct lightning strikes). Where
this is not achieved, e.g. because of apertures and/or unsuitable fabrication techniques, or where
components/subsystems are separately transported, additional protection during transport and storage can
be provided by designing containers as electromagnetic shields. EMR trials will be required to provide
evidence of shielding effectiveness throughout the systems life. Advice on suitable trials techniques can be
given by the DOSG ST3. Munitions and weapon systems that depend upon containers for additional EM
protection should only be handled outside their containers in areas specified as safe by the Service
concerned. Sufficient attenuation of EM fields can be obtained by ensuring that:
G.2.3.1.1 The container incorporates either a metal construction or attenuating material designed to make
continuous electrical contact around the entire periphery of all interfaces, utilising RF gaskets as necessary.
(Note: recent work has shown that RF at microwave frequencies can very easily penetrate a box or metallic
bag where the lid is not well designed or where a seam has an insulating layer between surfaces.)
G.2.3.1.2 All interfaces are of compatible metals to avoid corrosion so that an effective RF shield can be
maintained throughout the life of the container.
G.2.3.2 Containers and their internal furniture shall meet the requirements of Def Stan 00-88 Ref [16].
Internal furniture should generally have static dissipative properties but this may be relaxed where there are
no static sensitive devices in the system. Where anti-static packaging material is required, then a product
which is bulk-impregnated with conducting material should be used in preference to one which is surface
treated. Surface treatments are prone to serious deterioration if subjected to rubbing and friction. The anti-
static properties of bulk-impregnated material should not be unacceptably degraded when subjected to the
loading imposed by the packaged item. Studs and cables intended to bond containers to earth to minimise
static charge build-up should not normally be required/specified. Where deemed by the Design Organisation
to be necessary the requirement should be fully justified and the arrangements provided should be simple
and robust.
58
Annex H
The Electrical and Electromagnetic Environment Associated With
Munitions
H.1 Introduction
H.1.1 Military systems must be designed to ensure Electromagnetic Compatibility (EMC) with the natural
and man-made Electromagnetic (EM) environment in which they are to be stored, transported and deployed.
H.1.2 It is Government policy to support NATO standards wherever these are suitable for defence
purposes. Over the past 25 years the DOSG have been active members of the committees developing a
number of standards identifying the EM environment to be used when assessing the effects on materiel
when subjected to this environment. These documents should be considered the minimum requirement
when assessing weapon/munition safety. Where the UK requirements are considered different from those
identified in the applicable NATO standards the reasoning should be identified in the System Requirement
Documentation.
H.1.3 Defence Standard 59-411 Part 2 [25] describes how to identify and quantify all aspects of the
electromagnetic and electrostatic environment that may be experienced at the external boundary of any
system. System designers can then assess their effect on internal equipments by considering the EM
coupling mechanisms across the boundary. The sections below describe all the environments relevant to
weapon systems and are consistent with Def Stan 59-411 Part 2 [25].
H.2 The RF Environment
H.2.1 General
H.2.1.1 A weapon system or munition will experience an RF environment during all phases of its life. The
RF levels will depend on the distance, orientation and screening of the system from radio and radar
transmitters. The maximum environment will therefore depend on the operational and maintenance
scenarios that need to be derived from the logistic and operational requirement. Given adequate knowledge
of these factors it is possible to determine the maximum power density that may be experienced at all
frequencies in all life phases. Ideally the process of determining the maximum RF environments should be
carried out for each new system and used for all subsequent design, assessment and test purposes. The RF
environment applicable should be agreed by the Project Team and detailed in the System Requirement
Specification, based on scenarios defined in the User Requirement Document, seeking advice from the
Defence Ordnance Safety Group (DOSG) where appropriate. Frequently, however, the default environment
levels described in Def Stan 59-411 Part 2 [25] will be used.
H.2.1.2 For ordnance items it will generally be necessary to define the RF environment during the phase of
its life when it is powered (i.e. being used) separately from those phases when it remains unpowered and is
being stored, transported or handled. For many items the loaded (to a launcher) and powered phases may
require a more benign environment than the un-powered phase but there are systems (e.g. ship vertical
launch missiles) which may see more severe levels immediately after launch. As these operational phases
will depend heavily on where the system is to be used and on the platform to which it is mounted the
environment needs to be defined based upon operational scenarios as noted above. However, during the
unpowered phases, since most OME items could be transported and handled in a similar environment, a
Minimum Service RF Environment (MSRFE) has been defined, which should be used for all systems. Where
personnel are involved, such as when loading/unloading, the RF levels should normally not exceed the
Personnel Exposure Limits (PEL) laid out in JSP 375 but this is not generally accepted as meaning a lower
clearance level is permissible.
H.2.1.3 Until publication of this standard the MSRFE used was that defined in STANAG 4234 Ed 1 or for
use on ships in STANAG 1307 (both now cancelled). The replacement NATO standard, AECTP 250 Leaflet
258 [6] although identifying worst-case RF environments for specific platform types, does not currently
address a Minimum Service RF Environment for munitions. Therefore based on UK data and data made
59
available by other nations the MSRFE to be used is as defined in Table H.1. This environment is included in
Def Stan 59-411 [25] but is also included here for completeness. DOSG paper at reference [24] provides a
discussion of how this environment was derived but it is a classified document.
H.2.1.4 Table H.1 therefore specifies the minimum levels of RF intensity against which all systems
incorporating EED should be designed and tested to ensure they remain safe and suitable while un-
powered. This generally requires demonstrating that the energy/power induced in all EEDs does not exceed
an agreed margin below the EED no-fire threshold. Demonstration/assessment of safety should address all
phases of the munition life while it is un-powered (i.e. packaged, unpackaged, being handled unless a
relaxation, for a well-defined reason, is accepted by DOSG). This environment should also be used for the
phase where the system is loaded to a launcher unless a weapon specific environment has been defined.
The table includes both average and peak levels. The previous definition of MSRFE did not include peak
levels since most EED will not respond to short pulses. Clause H.2.2 below discusses this issue further.
Table H.1 The Minimum Service Radio Frequency Environment
Frequency Average Power Density Peak Power Density

(W/m2) (W/m2)
10 kHz - 3 MHz 200 V/m 200 V/m
3 MHz 32 MHz 200 V/m 200 V/m
32 MHz 150 MHz 30 30
150 MHz 225 MHz 80 80
225 MHz 400 MHz 100 100
400 MHz 790 MHz 50 5000
790 MHz 1 GHz 150 5000
1 GHz 2.5 GHz 1000 30 x 103
2.5 GHz 4.5 GHz 2400 265 x 103
4.5 GHz 6 GHz 500 140 x 103
6 GHz 8 GHz 1500 3.2 103
8 GHz 12 GHz 1500 265 x 103

12 GHz 18 GHz 1500 86 x 103
18 GHz 40 GHz 500 36 x 103
H.2.1.5 Once a munition is powered the electronics as well as the EEDs become vulnerable to upset by the
external RF environment. Radiated susceptibility tests to demonstrate correct operation of all the circuits are
therefore necessary. The test levels required will normally be the same as those applied to the parent
platform or if man portable to a worst-case battlefield environment. Def Stan 59-411 [25] provides worst-case
tables for such scenarios and these should be used to help define the relevant test level. For circuits that
control EED initiation or have a direct safety function a safety margin of at least 6 dB should be
demonstrated (see Part 3 Annex A for further discussion of safety margins). When defining the relevant level
to be used the following issues should be addressed:
H.2.1.5.1 What are the immediate pre and post launch environments that will be experienced by the
munition? Aircraft, ship and vehicle launched missiles may fly through the main beam of powerful radars very
close to the launch platform. If this is the case the levels in some bands may exceed those in the MSRFE
and pick-up in unfired EED circuits will need to be addressed as well as operation of the electronics.
H.2.1.5.2 Some munitions are required to attack targets which may have high power electromagnetic
emitters. The need to include consideration of these in the operational environment levels will depend on the
functionality required of the electronics and warhead close to the target.
H.2.1.5.3 Some munitions and weapon systems, when in an operational mode, generate RF energy. In
addition to the external environment these systems must be demonstrated to remain fully operational and the
EEDs unaffected in the fields which the transmitters generate.
60
H.2.2 Peak Pulse Power Intensity
H.2.2.1 In Table H.1, the electric field intensities (Vm-1) and power densities (Wm-2) are expressed in
average (or mean) and peak values. The mean values are sufficient to assess the potential susceptibility of
those EED that only respond to mean power. Energy sensitive EED (see Part 2) may, however, be
susceptible to the energy content of a single radar pulse so knowledge of the peak pulse power level is
important.
H.2.2.2 The very fast response time of microelectronic devices and microprocessors also make them
susceptible to the peak power of CW and pulsed transmissions. Therefore, any assessment of their
susceptibility to RF must consider the peak values of the RF environment. The peak pulse-power of a radar
transmission is a function of the mean power and the duty cycle (mean pulsed power = peak power x duty
cycle). However, since it is not necessarily the same radar that has driven both the mean and peak values in
any frequency band it is not possible to make assumptions about the duty cycle from the numbers in
Table H.1. In order to allow use of the formulae given in Part 2 sub-clause 5.2.9 to calculate peak power
sensitivity of an EED, actual radar data is required and DOSG should be consulted.
H.2.3 RF Environment Outside the Control of the UK
It is unlikely that foreign transmitters likely to be in proximity to UK weapon systems will be significantly
higher powered than those considered in compiling Table H.1. Some data on field levels from foreign
transmitters is available from the work done in compiling Def Stan 59-411 [25] and DOSG should be
consulted if necessary.
H.2.4 Control of RF Communication Equipment
H.2.4.1 The level and spectrum coverage of RF energy being generated for voice and data
communications in ships, aircraft, and vehicles is increasing. Man-pack radios, hand-held radios, mobile
phones and the emergency services radios (Fire, Police and Ambulance) as well as data communications
services, SATCOM systems, radars and ECM equipments must also be taken into account when assessing
the overall RF environment.
H.2.4.2 On-site/platform/range communication equipment or any electronic devices with a deliberate RF

output should be approved by the establishment concerned for entry into areas where EED are stored,
processed, handled or used, i.e. Explosive Storage Area (ESA), hangars, flight lines, vehicle parks and
ranges. Access by vehicles or personnel equipped with communication devices to any area where EED are
stored, processed, handled or used must be strictly controlled. The regulations concerning this are contained
in JSP 482 Chapter 24 [28] and BR2924 [11], DAP 110A-0101-1D [13] and Land Service Ammunition and
Explosive Regulations [1].
H.2.4.3 Consideration must be given to the accumulation of emitters in one area where the basic power of a
single emitter can be augmented by other emitters within range of the EED. Further advice can be obtained
within the individual service publications noted in clause H.2.4.2 above.
H.3 Electrostatic Environment
H.3.1 An electrostatic discharge (ESD) event can be described as primarily a high voltage breakdown
phenomenon. The breakdown is characterized as a capacitor discharge pulse and the damage to
components is very similar to the damage associated with high frequency radar pulses. If the source direct
current (dc) circuit resistance is relatively large, say > 300 ohms, then it will control the current and energy
deposited in the sensitive component. If the dc circuit resistance is relatively small, then the circuit
inductance is the controlling factor. Any contact or rupture of insulation between a charged object and an
EED or circuit component with a path to ground will result in an electric discharge through the component
resulting in a potential safety hazard or degradation of operation to the system.
H.3.2 The primary safety concerns for EED are discharges from pin to pin through the bridgewire or from
pin to case through the explosive mix of an electrically initiated firing device. Discharges direct from
personnel are potentially the most likely and severe to which munitions may be exposed. AECTP 250 Leaflet
253 [3] gives a full description of the electrostatic charging and discharging phenomenon. This reference
also defines a human body discharge model for use in assessing and testing the immunity of systems to
ESD. Munition systems are to be shown to be immune to the levels given in the leaflet and repeated in Table
61
H.2 below. Pin to case tests are to be carried out using both the 500 and 5000 body resistances for the
reasons described in clause 6.4.2.6 of Part 2 of this standard. Pin to pin testing can generally be limited to
using only the 500 resistance.
H.3.3 During logistic operations, materiel will be carried by various means of transportation. The situation
causing the greatest concern with respect to the electrostatic environment is the electrostatic charge build-up
on materiel when transported by helicopter. As for the personnel-borne electrostatic charge, the charge on a
helicopter is a potential hazard when it is discharged through sensitive equipment or munitions which may be
carried as an underslung load. Helicopters and other aircraft become electrostatically charged by ion
emission from the engines and by the triboelectric charge separation from water and dust particles striking
the airframe. They also become charged relative to ground due to the naturally occurring charge gradient in
air, particularly in certain atmospheric conditions. The worst-case helicopter ESD environment which might
be encountered during transportation is defined in AECTP 250 Leaflet 254 [4] and is repeated here at Table
H.3.
H.3.4 In addition an aircraft or projectile passing through rain, dust, snow and ice can cause an
electrostatic charge build-up on the system structure due to charge separation. This phenomenon leads to
precipitation static (p-static) which can cause considerable reduction in radio reception. Moreover, if the
missile or aircraft is not adequately bonded throughout its length discharges can occur between sections,
which may induce harmful currents in adjacent wiring. This effect is not covered by the levels given in
Table H.2 and Table H.3 but should be addressed as part of the bonding requirements established during
system design.
Table H.2 Personnel-Borne Electrostatic Parameters
Type of Discharge Parameters
Electrostatic Voltage Capacitance Resistance Circuit Inductance

(kV) (pF) () (H)
Discharge on Munitions 25 500 500 & 5000 5 max.
Discharge on Non-munitions 8 or 15 150 330 5 max.

NOTE Electrostatic voltages of 8 kV for contact discharge and 15 kV for air discharge are in accordance with
IEC-61000-4-2, table 1. All values (25 kV, 8 kV, and 15 kV) will be charged to positive and negative voltage. All
parameters have a tolerance of 5%.
Table H.3 Helicopter-Borne Electrostatic Parameters
Type of Discharge Parameters
Electrostatic Voltage Capacitance Resistance Circuit Inductance

(kV) (pF) () (H)
Helicopter Discharge Only 300 5% 1000 5% 1 20 max.
H.3.5 Intermediate voltages between zero and the ESD environments given in Table H.2 and
Table H.3 will also exist. These intermediate voltages should therefore be considered during assessments
and tests to identify voltage breakdown paths that may not be observed at the voltage levels given in the
tables and which may have an adverse effect on the materiel. The assessment and/or testing of the ESD
susceptibility of a munition should be conducted in accordance with AECTP 500 Leaflet 508/2 [7].
H.4 Lightning
H.4.1 The numerical values of the parameters of lightning strikes have been determined in measurement
surveys over many years. Each lightning strike will have unique characteristics, but statistical descriptions of
the parameters have been derived.
62
H.4.2 A thorough description of the fields and currents due to lightning can be found in AECTP 250
Leaflet 254 [4]. The lightning discharge current, its rise time and its duration primarily determine the effects
of a lightning strike on metal structures. The assessment of the lightning effects on a munition and/or
associated systems should be conducted in accordance with AECTP 500 Leaflet 508/4 [8]. Such an
assessment, whether theoretical or practical, requires expert knowledge of the threat and for tests requires
special test equipment. It will, therefore, normally need to be carried out by a specialist.
H.4.3 Lightning effects on systems can be divided into direct (physical) and indirect (electromagnetic)
effects. The physical effects of lightning are burning and eroding, blasting, and structural deformation, as well
as the high-pressure shock waves and magnetic forces produced by the high currents. The indirect effects
are those resulting from the electromagnetic fields associated with lightning and the interaction of these
electromagnetic fields with equipment in the system (i.e. induction of currents into cabling). Lightning that
does not directly contact system structure (i.e. nearby or indirect strikes) can also produce a hazardous
indirect effect.
H.4.4 Weapon systems, when considered appropriate in the User or System Requirement Documents
(URD/SRD), shall meet their operational safety/performance requirements for both direct and indirect effects
of lightning. Normally, weapons should remain safe and meet their operational performance requirements
after experiencing a nearby/indirect strike in an exposed condition and a direct strike in a packaged
condition. They also should remain safe during and after experiencing a direct strike in an
exposed/unpackaged condition. The applicability of a direct strike lightning hardness requirement to a
powered weapon system may frequently be considered unnecessary unless it is powered on the launcher for
a significant time.
H.4.5 It is generally accepted that worldwide approximately 90% of all cloud-ground lightning strikes are
negative and 10% are positive. However, depending on the geographic region, season, type of cloud and
phase of the thunderstorm, very different percentages can occur. For example in the UK the percentage of
positives is about 40% in summer and 60% in winter. There is also debate on how a combined set of
parameter levels should be derived even once a ratio of positive to negative strikes has been set. The levels
defined in AECTP 250 Leaflet 254[4] assume a 10% positive content and for 98% of all strikes give
parameter levels shown in Table H.4. The derivation of the direct and indirect effects parameters is very
complex and so is not repeated here. For those requiring it, a full description is given in AECTP 250 Leaflet
254[4].
Table H.4 Lightning Strike Parameters (Combined Positive and Negative Flashes)
Parameters Unit Lightning Parameters
Peak rate of charge of current (aircraft) As-1 1.4 x 1011
Peak rate of change of current (ground and sea As-1 1.0 x 1011
platforms)
Peak current kA 200

2
Action integral As 3.75 x 106
Charge content (of continuing current) C 300

NOTES: 1. The action integral and charge content values are higher than those currently defined for
international civil aircraft. However recent air accidents in the UK have shown that these higher levels
do occur and should be specified for critical systems.
2. The 2010 edition of IEC 62305-1 Annex A has 200 kA and 107 A2s respectively as
the 1% parameter values for peak current and action integral. It also recognises that peak
current may rise to 600 kA for 0.1% of all lightning flashes. If a system is likely to be exposed
to lightning strikes for a considerable period these higher values should be taken into
consideration.
63
H.5 Electromagnetic Pulse
H.5.1 A nuclear explosion releases energy in the form of a pulse of electromagnetic radiation known as
"electromagnetic pulse" (EMP), or sometimes "nuclear electromagnetic pulse (NEMP). It extends over a
frequency range of tens of kHz to hundreds of MHz. A comparison of the EMP and Lightning waveforms and
spectrums is provided in Figure H.1. About 0.1% of the total weapon release is in the form of gamma
radiation and 0.1% of this is actually converted into EMP, the remainder into heat. The interaction of this
pulse with electrical or electronic systems may lead to system degradation or failure.
H.5.2 The characteristics and area of influence of the effect depend on the height of burst and two
extreme cases are identified: Endo-atmospheric burst, i.e. ground or low air burst and Exo-atmospheric
burst, i.e. high altitude burst at heights between 35 and a few hundred km. For the latter the EMP is emitted
over an area of many thousands of square km and therefore it constitutes the major threat. An unclassified
description of the EMP threat is given in AECTP 250 Leaflet 256 [5]. For a full description of the classified
threat see AEP 4 [9].
H.5.3 Many systems do not have a specific requirement expressed in their URD/SRD for EMP protection.
However, where required the system shall remain safe or meet its operational performance requirements
after and sometimes during exposure to the EMP environment.
Figure H.1 Waveform and Spectrum Comparisons between EMP and Lightning
64
Annex I
Glossary Of Terms And Abbreviations
I.1 Glossary of Terms
Abnormal Firing Mode A method by which an EED can be fired due to the application of electrical energy
in a manner different from that intended, for example pin-to-case breakdown in a
double-pole EED.
All-Fire Threshold The level at which there is a 99.9% probability of fire at the 95% upper single sided
confidence limit.
Aliasing Aliasing occurs when a program variable is addressed in more than one way and
effectively has more than one name.
Application Specific Integrated An integrated circuit designed to satisfy a specific application rather than a general-
Circuit purpose requirement.
Arm To make a fuzing or firing system ready for functioning by removal of all the safety
constraints thus permitting the munition to be fired on receipt of the specified firing
stimulus and to function as intended.
The system is considered armed when any firing stimulus can cause the system to
function.
- for fuzing systems employing explosive train interruption: when the interruption
(interrupter(s) position(s)) is such that the probability of propagation of the
explosive train exceeds a specified value (e.g., 0.005 at the 95% single-side lower
level of confidence);
- for fuzing systems employing a non-interrupted explosive train: when the stimulus
available for delivery to the initiator equals or exceeds the initiators no-fire
threshold.
Assembler A program which translates assembly language into its binary equivalent.
Assembly Language A language intermediate between a high-level language and machine language.
Balanced Mode Current The difference component of induced current that circulates around a circuit
situated in a uniform electromagnetic field. This current flows through the load of a
balanced circuit.
Bulk Current Techniques The use of current probes clamped around a cable loom or any of its branches to
induce and/or monitor radio frequency signals in a system under test.
Bridge-wire Electro-Explosive An EED where the power dissipated by current flowing through a resistive wire is
Device used to initiate, by heating, a primary explosive in intimate contact with the wire.
Conducting Composition An EED where the primary explosive is intimately mixed with a small quantity of
Electro-explosive Device conducting material (e.g. graphite and powdered metals), which, when placed in a
suitable container, allows the flow of an electrical current between two electrodes.
As the current flows, sufficient heat is generated to function the composition.
Common Cause Failure The failure of 2 or more components due to a single cause.
Common Mode Current The common component of induced current that flows in each wire of a balanced
circuit situated in an electromagnetic field. This current does not flow through the
load of a balanced circuit.
Compiler A program which acts as a translator between a program written in a high level
language and a machine, by producing machine code.
Computed Jump A program instruction of the form go to e where e is an integer expression that
must be evaluated to determine the destination.
65
Design Authority / An approved Duty Holder who manages the system to ensure that vital features of
Design Organisation the system, facility, utility or plant are identified and maintained throughout life. The
Design Authority/Organisation is responsible for the provenance of the design
documentation included in the Safety Case
Double-Pole Firing Circuit A firing circuit which employs two wires (one to each electrode/terminal and is
either completely isolated from, or balanced about, earth or system ground.
Duty Cycle/Duty Ratio The ratio of pulse length and the repetition period, or the ratio of average to peak
pulse power.
DRAM (Dynamic RAM) A form of read/write memory which requires refresh signals to ensure that it
retains its information.
Dynamic Switch (Electrical) An electrical design safety feature (energy interrupter) which continuously cycles
between 2 or more states, at a rate and in a pattern that is most unlikely to be
induced unintentionally during any credible life-cycle phase and which, on its own
or combined with another safety feature, provides a fail safe feature.
Earth An electrical connection to the general mass of the Earth (see also Ground).
Exploding Bridge-Wire An EED which, when subjected to a high energy, short duration electrical pulse
Electric-explosive Device heats up rapidly, partially sublimes and then explodes, projecting high energy
particles, causing detonation in a relatively insensitive explosive, which is in direct
contact with the bridge-wire.
Electro-Explosive Device A one shot explosive or pyrotechnic device used as the initiating element in an
explosive train and which is activated by the application of electrical energy. For the
purposes of this Defence Standard the term includes primers, fuzeheads, caps,
detonators, igniters, initiators and cartridges.
Exploding Foil Initiator or An EED with a low resistance bridge which when subjected to a high energy, short
Slapper Detonator duration electrical pulse, converts electrical energy into kinetic energy to project a
high velocity flyer plate which, on impact, causes a detonation in a relatively
insensitive explosive which is not in direct contact with the bridge.
Electromagnetic Compatibility The ability of electrical and electronic equipments, sub-systems and systems to
share the electromagnetic spectrum and perform their desired functions without
unacceptable degradation from or to the electromagnetic environment in which they
exist.
Electromagnetic Interference Any electric, magnetic or electromagnetic disturbance, phenomenon or emission
which causes or is likely to cause undesired response, malfunction, or
unacceptable degradation of performance of any equipment, subsystem or system,
or unacceptable degradation of the electromagnetic environment.
Electromagnetic Pulse A secondary output of nuclear weapons resulting from the interaction of the prompt
gamma rays with the atmosphere.
Electromagnetic Radiation Radiation made up of oscillating electric and magnetic fields and propagated with
the speed of light. Includes gamma radiation, X-rays, ultra-violet, visible and infra-
red radiation, and radar and radio waves.
Endo-atmospheric. Within the atmosphere, altitude less than 35 km, associated with a nuclear
explosion.
Exo-atmospheric Outside the atmosphere, altitude greater than 35 km, associated with a nuclear
explosion.
Film Bridge Electro-Explosive An EED where the power dissipated by the passage of current through a resistive
Device vacuum deposited film or foil of very small dimensions is used to initiate by heating
a primary explosive which is in intimate contact with the film or foil.
Filter A device or component intended to protect a sensitive load from conducted EMI.
Filtered Connector An electrical connector (plug or socket) comprising individually filtered pins.
Firing Unit A Firing unit is a combination of power source and safety and trigger switches used
to initiate an EED
Fireset For high voltage characterization (> 500 V for fuze application) a fireset is the
integral part of a high voltage initiation system designed to produce an electrical
pulse with specific characteristics. It normally consists of a firing capacitor,
triggered high voltage switch and its trigger circuitry.
66
Fuzing System A complete system including fuze and ancillary devices necessary for fuze
operation. The fuzing system components may be distributed throughout the
munition.
Ground The plane of zero potential for an electronic system (see also Earth).
High Level Language A language which enables programs to be written using mathematical and linguistic
notation.
Hazard Measuring Equipment Electronic equipment designed specifically to allow the measurement in-situ of
current induced in firing circuits using simulated EED.
Host-Target Method Method where software is prepared, validated and compiled, preferably using a
structured language, on an appropriate computer (Host). The compiled program is
transferred from the host computer to the production device (the Target) in machine
code.
Illegal Jump An unintended jump from one part of a program to another part.
Independent Safety Feature A safety feature which is not affected by the function or malfunction of any other
safety feature.
Insertion Loss The loss attributable to the insertion of an electrical network (e.g. an attenuator or
filter) between a source of power and its load.
Interrupt The process by which an external event caused the microprocessor to discontinue
its present operation and branch to an alternative program routine.
Intrinsic Safety The extent to which a circuit design is proof against unsafe failure as a result of a
single internal fault.
Latch-up The process by which a semiconductor circuit locked into a particular condition
following nuclear radiation, power supply fluctuation or other disturbance.
Machine Language A language which is used directly by a machine, consisting of instructions in binary
code.
Malfunction Threshold Malfunction Threshold (MFT) is the stimulus, (voltage, current or power) when
applied to the EED, that produces a 0.1% probability of damage at the 95% single
sided lower confidence level, such that the EED will not or may not fire when
subsequently subjected to the operational firing pulse from the tactical fireset.
Matched Condition Allowing the maximum transfer of energy.
Maximum Allowable Safe The projected voltage at which a high voltage EED has a 10-6 probability to fire with
Stimulus ideal confidence (often referred to as the point estimate).
Misfire Failure to fire or explode properly.
Mode Conversion The process by which common mode current reinforces the balanced mode or
vice-versa.
Monolithic Compilation Simultaneous compilation of all the software into machine code to help enforce
configuration control.
Munition A device, e.g. a complete missile, shell, aircraft bomb or flare charged with
explosives, propellant, pyrotechnic or initiating composition for use in connection
with defence, offence, training or non-operational purposes, including mines and
demolition charges.
No-Fire Threshold The value or power, energy or current at which the probability of firing of an EED is
0.1% at the 95% single-sided lower limit of confidence. The NFT energy and power
are derived for times which are short or long, respectively, compared to the thermal
time constant.
Noise Margin The amount by which the wanted signal exceeds the level of noise.
Normal Firing Mode The firing of an EED in the intended manner.
No-volt Check The use of a Safety Test Set to check for the absence of any voltage across the
lines selected.
Object Code The executable machine code output from a compiler or an assembler.
Parity Check The use of a self-checking code employing binary digits in which the total number
of 1s (or 0s) in each permissible code expression is always either even (even
parity) or odd (odd parity).
67
Procedure (with regard to Software executed when called from within a program; on completion control
computer programming) returns to the point of call.
Program Module A component or sub-program, possessing a unique entrance and unique exit, that
is capable of independent specification.
Qualification The assessment of an explosive material or EED by the National Authority to
determine whether it possesses properties that makes it safe and suitable for
consideration for use in its intended role.
Radio Hazards The inadvertent initiation of EED resulting from exposure to radio frequency
radiation. (For USA terminology see HERO)
Random Access Memory A form of read/write memory which provides immediate access to any storage
location.
Reaction Time (of an EED) The time taken from application of the electrical stimulus to an EED to the point
when an irreversible chemical reaction occurs.
Read Only Memory A form of memory where information is stored permanently or semi-permanently
and is read out but not altered.
Recursion Occurs if the calling structure of a set of program procedures contains a cycle:
example: A calls B, B call C, C calls A. i.e. A calls A.
Reliability The ability of an item to perform a required function under stated conditions for a
specified period of time.
Reliability Screening Process The removal of early life failures in electronic components.
Safety The freedom from hazards to personnel and material at all times recognizing the
considerations of operation necessity as a limiting factor.
Safety and Arming Device A device whose primary purpose is to prevent an unintended functioning of the
main charge or propulsion unit due to the operation of the fuze prior to completion
of the required arming delay or prescribed sequential arming requirements and in
turn, allow the explosive train of the munition to function after arming.
Safety Assertions Boolean propositions, planted strategically in the program, whose satisfaction
should contribute to the safety of the software (see also defensive programming).
Safety Break A physical break in a firing circuit provided by a switch or relay between the power
source and the EED, in addition to the firing switch.
Safety Margin An allowance, below the NFT of an EED or the malfunction level of the electronics,
to ensure an acceptably small probability of functioning.
Safe Separation Distance A minimum distance between the delivery system (launcher/launch platform), and
the munition beyond which the hazards associated with the munition functioning
are acceptable. Also used to refer to the distance that must be maintained between
an RF transmitter and a munition to ensure inadvertent initiation of an EED does
not occur.
Semi-conductor Bridge An EED containing a heavily doped polysilicon bridge, which when subjected to a
pulse of electric energy produces a plasma discharge initiating an explosive with
which it is in contact.
Sensor A component or series of components which detects the presence of, or change in,
a particular environmental factor, or the presence or movement of an object.
Shielding The means of reducing the amount of radiation reaching one region from another.
Alternatively, the extent of such reduction.
Shutter A safety device in an explosive train for isolating the initiating explosive.
Single-pole Where one terminal of an EED is connected to ground at a point less than 10 mm
from EED body, such a circuit is considered to be single-pole.
Software The non-hardware elements of a computer system including, amongst others,
applications programs, operating systems, programming languages, data bases
and associated documentation.
Source Text The version of a program that is input to a compiler or an assembler.
Static Analysis Covers those techniques for assessing software or hardware without actually
testing it.
Static RAM Data stored in random access memory that need not be refreshed.
68
Static Switch A switch which is in either the off or on condition.

Structured Language Language that encourages structured programming, examples are PASCAL and
Ada.
Sum Check The summation of an array or list of computer words to determine whether the total
is equal to a unique test pattern of bits stored elsewhere.
Switching Threshold of an The level of voltage or current at which an electronic switch operates.
Electronic Switch.
Synchronous Refresh A microelectronic device which provides the stimuli at precisely determined times
Controller for refreshing a dynamic memory.
Syntax Analysis Analysis to determine whether the rules governing the structure of a language have
been obeyed.
Target Processor The microprocessor for which the system is compiled.
Thermal Time Constant (of an A time related to the thermal response time of an EED. For a normal bridge-wire
EED) EED it is taken as the point of intersection between the constant power and
constant energy regions of the EED NFT when plotted on log-log scales.
Transient A non-regular, momentary surge of electric or electromagnetic energy.
I.2 Abbreviations
AFT All-Fire Threshold

ALARP As Low As Reasonably Practicable.
ASIC Application Specific Integrated Circuit
ATE Automatic Test Equipment
BITE Built-In Test Equipment
BSL Basic Safety Limit
BSO Basic Safety Objective
BCI Bulk Current Injection
BCM Bulk Current Monitoring
BW EED Bridge-Wire Electro-Explosive Device
CC EED Conducting Composition Electro-explosive Device
CMOS Complementary-metal-oxide-Semiconductor
DC Direct Current
DOSG Defence Ordnance Safety Group
DRAM Dynamic RAM
EBW EED Exploding Bridge-Wire Electric-Explosive Device
EED Electro-Explosive Device
EFI Exploding Foil Initiator or Slapper Detonator
EM Electromagnetic
EMC Electromagnetic Compatibility
EMI Electromagnetic Interference
EMP Electromagnetic Pulse
EMR Electromagnetic Radiation
ESAU Electronic Safety and Arming Unit
ESD Electrostatic discharge
FB EED Film Bridge Electro-Explosive Device
FMEA Failure Mode and Effects Analysis
FMECA Failure Mode, Effects and Criticality Analysis
FTA Fault Tree Analysis
69
GPTE General Purpose Test Equipment

HF High Frequency
HIRTA High Intensity Radio Transmission Area
HME Hazard Measuring Equipment
HV EED High Voltage Electro-Explosive Device
LEMP Lightning Electromagnetic Pulse
LV EED Low Voltage Electro-Explosive Device
MASS Maximum Allowable Safe Stimulus
MF Medium Frequency
MFT Malfunction Threshold
MOS Metal oxide silicon
MTDS Manufacture to Target or Disposal Sequence
NEMP Nuclear Electromagnetic Pulse
NFT No-Fire Threshold
NVST No-Volts Safety Test
PAT Production Acceptance Testing
PMP Project Management Plan
RF Radio-Frequency
RADHAZ Radio Hazards
RAM Random Access Memory
RCV Remote Control Vehicles
REG Radio Frequency Environment Generator
ROM Read Only Memory
S3 Safe and Suitable for Service
SDS System Defining Specification
SCB Semi-conductor Bridge
SEMP System Engineering Management Plan
SHF Super High Frequency
SRAD Susceptibility RADHAZ Designator
SRD System Requirements Document
STANAG Standard NATO Agreement
TME Transient Measuring Equipment
TRAD Transmitter RADHAZ Designator
UHF Ultra High Frequency
VHF Very High Frequency
V&V Verification and Validation
70
Crown Copyright 2012
Copying Only as Agreed with DStan
Defence Standards are Published by and Obtainable from:
Defence Equipment & Support
UK Defence Standardization
Kentigern House
65 Brown Street
GLASGOW G2 8EX
DStan Helpdesk
Tel 0141 224 2531/2
Fax 0141 224 2503
Internet e-mail enquiries@dstan.mod.uk
File Reference
The DStan file reference relating to work on this standard is D/DSTAN/59/114/1.
Contract Requirements
When Defence Standards are incorporated into contracts users are responsible for their correct
application and for complying with contractual and statutory requirements. Compliance with a
Defence Standard does not in itself confer immunity from legal obligations.
Revision of Defence Standards
Defence Standards are revised as necessary by an up issue or amendment. It is important that

users of Defence Standards should ascertain that they are in possession of the latest issue or
amendment. Information on all Defence Standards is contained in Def Stan 00-00 Standards for
Defence Part 3 Index of Standards for Defence Procurement Section 4 'Index of Defence
Standards and Defence Specifications' published annually and supplemented regularly by
Standards in Defence News (SID News). Any person who, when making use of a Defence
Standard encounters an inaccuracy or ambiguity is requested to notify the Directorate of
Standardization (DStan) without delay on order that the matter may be investigated and
appropriate action taken.

PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PDF

Uploaded by

Copyright:

Available Formats

Ministry of Defence

Defence Standard 59-114

Safety Principles for Electrical Circuits in

C.7.5 Ribbon or Thin Film Cable .........................................................................................................31

F.2 Electrical Testing Of Firing Circuits...............................................................................................53

Figure A.1 Illustration of Safety Margin for an EED...........................................................................12

Table H.1 The Minimum Service Radio Frequency Environment..............................................................60

Amd No Date Text Affected Signature and Date

This standard is introduced at Issue 1.

This standard comprises 3 parts and supersedes the following:

Part 1: Principles, Design Recommendations and Electrical/Electromagnetic Environments.

Part 2: Electro-Explosive Devices and their Characterization.

Part 3: Assessment, Safety Margins and Trials.

Safety Principles for Electrical Circuits in Systems

Part 1 - Principles, Design Recommendations and

[1] Ammunition and Explosives Regulations (Land Service), Volumes I and II

a) Detonate warheads and demolition charges.

b) Ignite rocket motors.

c) Ignite propellants for tube-launched projectiles.

d) Ignite gas generators for:

i. Removal of panels from projectiles.

ii. Inflation of flotation bags.

iii. Functioning protractors.

iv. Release of battery electrolyte into cells.

e) Initiate thermal batteries.

f) Initiate cutting action.

g) Initiate flares and pyrotechnics.

h) Initiate explosive bolts.

a) Electromagnetic radiation (EMR).

7 Risk and Hazard Analysis

Ser Principles of Design Notes for Guidance Relevant

Ser Principles of Design Notes for Guidance Relevant

Ser Principles of Design Notes for Guidance Relevant

Ser Principles of Design Notes for Guidance Relevant

Ser Principles of Design Notes for Guidance Relevant

c) Connection to the system under

Figure A.1 Illustration of Safety Margin for an EED

Figure A.2 Illustration of Safe Margin for an Electronic Switch

a) Inadvertent application of power.

b) Electromagnetic interference (EMI).

c) Initiation caused by software errors.

B.2 Inadvertent Application of Power

B.2.1 Inadvertent application of power may arise as a consequence of:

a) Application of intended firing power through.

i. Failure of safety breaks and firing switches, electronic or electromechanical.

ii. Failure of electronics controlling safety breaks and firing switches.

iii. Failure of wiring or connectors.

iv. Inadvertent operation of switches by an operator.

v. Malfunction of a sensor that allows premature application of power.

B.3.1.2 EMI may arise as a consequence of:

e) Lightning strike on, or in the vicinity of, the installation.

Figure B.1 Powered Semiconductor Prematurely Switched on by EMI

Figure B.2 Switch Self-capacitance

a) The degree of coupling to potential sources of EMI - by increased separation.

b) Conducted EMI - by provision of suitable filters.

c) Radiated EMI - by provision of suitable EMI shielding/screening.

Figure B.3 NATO Letter Designations for RF Bands

Figure B.4 Firing Line and Representative Equivalent Aerials

Figure B.5 Fortuitous Multi-Element Aerial

Figure B.6 Field Penetration of Apertures in a Metal Enclosure

Figure B.7 Operator Forming an Aerial

B.3.3 Induced Transient Energy

B.3.4 Induced Low Frequency Energy