Child nodes:
[NB. No account has been taken of other activities or ageing processes which could add to the total frequency of demand on the safety function. In a 'real' safety case this should be done.]
The conservative consequence of an accident from either hazard (collision or splash) progressing to an accident is 0 mSv for the general public and <2 mSv for a local on-site worker. Assuming that the liquor is only from the top 5 cm of the surface of the pond.
The general public would be entirely unaffected because the hazards would involve relatively small volumes of pond liquor which, in the case of the liquor is contained by a pond bund.
The unmitigated failure rate of the robot has been shown to be <2 pdfy for each of the 2 hazards (i.e. total 4 pdfy) and it is argued that this is acceptable (blue circle in the diagram below). This is driven by the failure rate of the image classifier.
The robot does not have an entirely diverse, independent and segregated SIF. A diverse and independent sensor is used with a safe failure rate of 1E-4 pfd (deterministic - process based claim) when operating on its target hardware. The collision avoidance decision is taken by the symbolic AI which has been formally verified and has diverse runtime monitors for which we claim 1E-4 pdfy (deterministic - process based claim) when operating on its target hardware. Therefore, conservatively the SIF has a safe failure rate of 3E-4 pdfy.
Consequently, the residual likelihood of the hazard progressing to an accident is 1.2E-3 pdfy (green circle in the diagram below).
NB. If the consequence of this hazard were >2 mSv (and <20 mSv as there is no consideration of a consequence above the BSL) then one or both of the following may be needed:
