4.1 Ignition Systems
4.1.1 Ignition system design. The design of the ignition
system shall take into account the aggregate of devices in the weapon
system (munition, launcher, and munition launch platform) which generate
and control the operating signal to cause the munition propulsion system
4.1.2 Ignition safety device. The design of the munition
employing a missile or rocket motor shall include an ignition safety
device, based on munition system requirements, complying with the
requirements of this document. The design of the ignition safety device
shall be compatible with the ignition system(s) for the proposed
4.2 Analyses. The following analyses shall be
performed to identify hazardous conditions for the purpose of their
elimination or control.
a. A preliminary hazard analysis (PHA) shall be conducted to
identify and classify, per MIL-STD-882 appendix A, hazards of normal and
abnormal environments, as well as conditions and personnel actions that may
occur in the phases before and during intentional arming (or firing) of the
IS. This analysis shall form the basis for preparation of system design,
test, and evaluation requirements.
b. System hazard analyses and detailed analyses, such as fault
tree analyses and failure mode effects and criticality analyses, shall be
conducted to arrive at an estimate of the safety system failure rate and to
identify any single point, common mode, or other credible failure modes that
could result in inadvertent or premature arming or firing of the munition.
These analyses shall include an assessment of the relative sensitivity of
each component in the pyrotechnic train.
c. For the IS or ISD containing an embedded computer,
microprocessor, micro-controller or other computing device, the analyses
shall include a determination of the contribution of the software, firmware,
or micro-code (see 4.8) to the enabling of a safety feature.
d. Where the software is shown to directly control or remove one
or more safety features, a detailed analysis and testing of the applicable
software shall be performed to ensure that no design weaknesses, credible
software failures, or credible hardware failures propagating through the
software can result in compromise of the safety features.
e. For an IS or ISD containing Application Specific Integrated
Circuits, Programmable Gate Arrays, or similar devices, the analyses shall
include a determination of the safety criticality of these devices to the
arming and functioning of the system. Detailed safety analyses and tests
shall be performed on those devices shown to be safety critical or directly
influence safety critical functions to determine their contribution to the
safety failure rate.
4.3 Ignition System. In order to preclude unintended
or premature ignition system arming or initiation the ignition system
a. Inhibit the arming sequence except as a consequence of a valid
launch or confirmation of the launch intent.
b. Not be susceptible to common-mode failures.
c. Not contain any single point failure mode prior to or at the
initiation of the arming cycle.
d. Delay arming as long as possible within operational
e. Utilize environmental forces, wherever possible, to enable
safety features. When the IS utilizes stored energy to enable the safety
feature(s), the stored energy source shall not be integral to the IS unless
it can be demonstrated that it is impractical to do otherwise and that the
required safety failure rate (see 4.5) can be achieved.
4.3.1 Ignition safety device. As an element of the
ignition system, the ignition safety device shall:
a. Prevent arming or initiation of the propulsion system except
in response to valid arming and launching signals from the ignition
b. Not contain any single point or common mode failure that
could result in inadvertent or premature arming or firing prior to or at
the initiation of the arming sequence
c. Delay arming as long as possible within operational
d. Utilize environmental forces, whenever possible, to enable
safety features. When the ISD uses stored energy to enable the safety
feature(s), the stored energy source shall not be integral to the ISD
unless it can be demonstrated that it is impractical to do otherwise and
that the required safety failure rate (see 4.5) can be achieved. In
addition, if the ISD uses stored energy to enable safety features, it
shall be as unique, in terms of level and type, as allowed by system
4.4 Manual Arming. The ignition safety device shall
not be capable of being armed manually unless such capability is required by
operational conditions and is specifically approved by the responsible
reviewing activity of 4.14. Such systems shall be capable of being easily
returned to a non-armed condition under the conditions of deployment.
4.5 Safety System Failure Rate. The safety failure
rate of the IS shall be calculated by performing a safety analysis (see 4.2)
and shall be verified to the extent practicable by test and analysis. As a
minimum requirement, the safety failure rate shall not exceed one failure in
one million prior to intentional initiation of the arming
4.6 Documentation. The evaluation program
used as the basis of the safety assessment prepared by the developing agency
shall be documented in both detail and summary form.
4.7 Electromagnetic Environments. ISs and
ISDs, in their normal life cycle configurations, shall not inadvertently arm
or function during and after exposure to: electromagnetic radiation (EMR),
electrostatic discharge (ESD), electromagnetic pulse (EMP), electromagnetic
interference (EMI), lightning effects (LE) or power supply transients (PST).
In addition, ISs and ISDs shall not exhibit unsafe operation during and
after exposure to the above environments. ISs and ISDs installed in the host
munition shall be tested or evaluated for:
a. EMR - per MIL-STD-464
b. ESD - per
c. EMP - per MIL-STD-464
d. EMI - per
e. LE - per MIL-STD-464
f. PST – by
appropriate test and analysis based on the design of the power system for
4.8 Electronic Logic Functions. Any
electronic logic related to safety functions performed by the IS or ISD
shall be embedded as firmware or hardware. Firmware devices shall not be
erasable or alterable by credible environments which the IS or ISD would
4.9 Fail-Safe Features. Fail safe designs
shall be considered for ignition systems and ignition safety devices. ISD
designs shall incorporate fail-safe feature(s) based on munition
4.10 Explosive Ordnance Disposal. The IS and ISD
shall incorporate Explosive Ordnance Disposal (EOD) features which insure
that, in the event of accidents, extreme/hostile situations, or dud
ordnance, EOD personnel can either return the munition to a safe to handle
condition or, where necessary, implement field expedient disposal. Where
practical, incorporate features that permit determination of the armed or
unarmed state of the IS or ISD by EOD in the event of a misfire, hung store,
4.10.1 EOD reviewing authority. All new or altered
designs, or new applications of existing designs shall be presented to the
appropriate service's EOD research, development, test and
evaluation(RDT&E) authority for technical advice and assistance in
determining viable design approaches or trade-offs for EOD as follows:
US Army ARDEC
Picatinny Arsenal, NJ 07806-5000
Disposal Technology Division
Indian Head, MD 20640-5070
|c. Air Force:
Detachment 63, 615 SMSQ
Indian Head, MD
4.11 Armed or Non-armed Condition
4.11.1 Non-armed condition assurance. The IS
and/or ISD design shall incorporate one or more of the following:
a. A feature that prevents assembly of the IS in the armed
b. A feature that prevents assembly of the ISD in the armed
c. A feature that provides a positive means of determining
that the ISD is not armed during and after its assembly and during
installation into the munition.
d. A feature that prevents installation
of an armed, assembled ISD into a munition.
184.108.40.206 Arming and reset during manufacturing.
If arming and reset of the assembled ISD in tests is a normal
procedure in manufacturing, inspection, or at any time prior to its
installation into a munition, subparagraph 4.11.1 b is not sufficient
and either subparagraph 4.11.1 c or 4.11.1 d must also be met.
220.127.116.11 Arming and reset during test. If arming
and reset of the IS is a normal test procedure at any time during its
life cycle, subparagraph a is not sufficient and the Ignition System
shall provide a positive means to determine whether the system is armed
or unarmed whether or not a munition is present.
4.11.2 Visual indication. If visual indication of
the non-armed or armed condition is employed in the ISD, visible
indicators shall be designed to provide a positive, unambiguous indication
of condition. Indicator failure shall not result in a false non-armed
indication. If color-coding is used to represent condition, the colors and
coding shall be as follows:
a. Non-armed condition. Fluorescent green background with the
letter S or word SAFE superimposed thereon in white. Colors shall be
b. Armed condition. Fluorescent red or fluorescent orange
background with the letter A or the word ARMED superimposed thereon in
black. Colors shall be non-specular.
c. Suggested color specification.
(1) Fluorescent green, Color No. 38901 per FED-STD-595
Fluorescent red, Color No. 38905 per FED-STD-595.
orange, Color No. 38903 per FED-STD-595.
4.11.3 Electrical firing energy dissipation.
Ignition Systems and Ignition Safety Devices accumulating and/or storing
functioning energy (e.g., firing capacitors) shall dissipate the firing
energy within 60 seconds whenever the arming signal is removed. The
dissipation means shall be designed to prevent single point and common
4.12 Design for Quality Control,
Inspection and Maintenance
a. The IS and ISD shall be designed and
documented to facilitate application of effective quality control and
inspection procedures. Design characteristics critical to safety shall be
identified to assure that the designed safety is maintained.
b. The design of the IS and ISD shall
facilitate the use of inspection and test equipment for monitoring all
characteristics which assure the safety and intended functioning of the IS
at all appropriate stages. The IS and ISD designs should facilitate the use
of automatic inspection equipment.
c. Embedded computing systems and their
associate software (firmware) shall be designed and documented for ease of
future maintenance. Software development shall be in accordance with
accepted high quality software development procedures, such as
4.13 Design Approval. At
the inception of system development and demonstration, the developing
activity should obtain approval from the cognizant safety authority with
both the design concept, and the methodology for assuring compliance with
safety requirements. At the completion of engineering development, the
developing activity shall present a safety assessment to the cognizant
safety authority (see 4.14) for review to obtain approval of the design.
4.14 Reviewing Activity.
New or altered designs or new applications of approved designs
shall be presented to the appropriate service safety review board for a
safety evaluation and certification of compliance with the standard:
US Army Ignition System
Safety Review Board
Redstone Arsenal, AL
|b. Navy and Marine
||Chairman, Weapon System
Safety Review Board
Commander, Naval Ordnance
Safety and Security Activity
Farragut hall, Building D323
Indian Head, MD 20540-5555
|c. Air Force:|
||USAF Nonnuclear Munitions Safety
1001 N. Second St., Suite 366
Force Base, FL