Control of safety critical operations

The invention claimed is: 1. A control apparatus for triggering a safety-critical operation, the control apparatus comprising: a receiver for receiving control command signals from a remote operator; and a safety management system having a first part and at least one second part, said first part being responsive to a received control command signal to trigger operation of said at least one second part and thereby to trigger the safety-critical operation, wherein said first part transmits a plurality of keywords to said at least one second part in response to a received control command signal, and wherein said at least one second part comprises a plurality of key-safe switches, selectively responsive to the plurality of predetermined keywords, where each of said plurality of key-safe switches being configured to be activated upon receipt of a different respective one or more of the plurality of keywords, wherein the safety-critical operation is triggered in the event that at least a majority of said key-safe switches are activated. 2. The control apparatus of claim 1 , wherein said first part and said at least one second part of the safety management system are implemented according to a relatively high level of integrity, and wherein the control apparatus further comprises a communications path, implemented according to a relatively low level of integrity, to convey the plurality of keywords from said first part to said at least one second part. 3. The control apparatus according to claim 2 , wherein the communications path comprises a serial data bus. 4. The control apparatus according to claim 2 , wherein the communications path is arranged to convey a combined data and power signal to each of said plurality of key-safe switches. 5. The control apparatus according to claim 1 , wherein said plurality of key-safe switches are arranged in series with respect to a power supply or other executive signal for triggering the safety-critical operation. 6. The control apparatus according to claim 1 , wherein said plurality of key-safe switches operate in a predetermined sequence. 7. The control apparatus according to claim 6 , further comprising at least one logic gate configured such that a keyword is supplied to one of said plurality of key-safe switches via a logic gate to which an output from another of said plurality of key-safe switches is supplied, which causes said plurality of key-safe switches to operate in the predetermined sequence. 8. The control apparatus according to claim 1 , wherein each of said plurality of key-safe switches is individually addressable. 9. The control apparatus according to claim 8 , wherein the control command signals comprise an address for each of said plurality of key-safe switches and an associated one or more of said plurality of keywords and wherein said first part of said safety management system is configured to transmit each of said plurality of keywords to respectively addressed key-safe switches of said plurality of key-safe switches according to the control command signals. 10. The control apparatus according to claim 1 , wherein said first part of said safety management system comprises a high integrity storage for storing said plurality of keywords and wherein said first part is configured to release said plurality of keywords from the storage for communication to said at least one second part upon receipt of a control command signal. 11. The control apparatus according to claim 10 , wherein said plurality of keywords are stored in the high integrity storage in encrypted form and wherein the control command signal comprises a decryption key, and wherein said first part further comprises a processor for applying a predetermined decryption algorithm to said encrypted keywords using the decryption key, and wherein the results of said application of the decryption algorithm are communicated to said at least one second part. 12. The control apparatus according to claim 1 , wherein the control command signals comprise said plurality of keywords and wherein said first part of said safety management system is configured to extract said plurality of keywords from the control command signals for communication to said at least one second part. 13. The control apparatus according to claim 12 , wherein said first part of said safety management system is configured to transmit said plurality of keywords to said at least one second part of said safety management system in a sequence determined by the order in which they are received in the control command signals. 14. The control apparatus according to claim 1 , wherein said receiver is configured to receive the control command signals from the remote operator over a communications path of relatively low integrity. 15. The control apparatus according to claim 1 , wherein the control apparatus is configured for embodiment in an access control, power switching, or other form of safety-critical signalling or switching system. 16. An unmanned mobile or stationary platform or other form of autonomous or remotely controllable mobile or stationary platform carrying or associated with one or more weapon systems or other forms of countermeasure, the platform incorporating the control apparatus according to claim 1 configured to control the firing, launch or deployment of said one or more weapon systems or countermeasures.