Child nodes:
The SIF comprises:
SFC
ONR SAP EDR.4 (Single failure criterion): not applicable as the robot will only be deployed below the BSL
Sensors
No claim is made for the Image Classifier.
The (Complex) Collision Sensor is diverse from the Image Classifier:
The (Complex) Collision Sensor is independent of the Image Classifier:
The (Complex) Collision Sensor is partially segregated from the Image Classifier:
Decision making
There are no diverse means of decision making in this robot. Reliance is placed on the ability of the formal verification methods to provide enough of a claim.
The decision making part of the SIF is part of the overall control system SIS of which the decision making SSC is an element. It is therefore, not independent of the of other SIFs or the overall control system SIS. Reliance is placed on the ability of the formal verification methods to provide enough of a claim.
The decision making is not independent of the Image Classifier (which has no claim made from it). However, the logic in the decision making is such that the (Complex) Collision Sensor input (along with a timer) is capable of overriding any input from the Image Classifier. Reliance is placed on the ability of the formal verification methods to provide enough of a claim.
The decision making is in the same compartment as the (Complex) Collision Sensor and therefore is segregated from the Image Classifier. The Image Classifier outputs are electrically isolated from the inputs of the decision making by opto-isolation. The decision making operates from the same power source and power conditioning as the (Intelligent) Collision Sensor. Therefore, it is suitably segregated from the Image Classifier.
Conventional Control Algorithms
There are no diverse means of providing Conventional Control Algorithm control to the actuators.
The Conventional Controller part of the SIF is part of the overall control system of which the Conventional Controller SSC is an element. It is therefore, not independent of the of other SIFs or the overall control system SIS. Reliance is placed on the ability implement the Conventional Controller and hardware platform to provide enough of a claim.
The Conventional Controller only take input from the decision making SSC and therefore is not (indirectly) independent of the Image Classifier. However, the logic in the decision making is such that the (Complex) Collision Sensor input (along with a timer) is capable of overriding any input from the Image Classifier. Reliance is placed on the ability of the formal verification methods to provide enough of a claim.
The Conventional Controller is in the same compartment as the (Complex) Collision Sensor and therefore is segregated from the Image Classifier. The Image Classifier has no electrical interface to the Conventional Controller. The Conventional Controller operates from the same power source and power conditioning as the (Intelligent) Collision Sensor. Therefore, it is suitably segregated from the Image Classifier.
Actuators (Propeller motors)
The ultimate safe state for the actuators is to remove power. Therefore, it is unnecessary for there to be a diverse or independent actuation.
The Actuators are in a separate metal compartment to the rest of the SIF thereby providing EMC, and heat segregation. The Actuators operates on the same power source as the rest of the SIF, however, it has its own power conditioning. This make the rest of the SIF less vulnerable to power fluctuations caused by the actuators.
Runtime monitors and WDT
The Runtime monitors protect the operation of the decision making.
The Runtime monitors are diverse from the decision making:
The Runtime monitors are not diverse from the Sensors. i.e. they take input from the sensors.
The Runtime monitors are independent of the decision making in that they decide whether the decisions that are being made are within health, environmental and operating envelopes.
The Runtime monitors are partially segregated from the rest of the SIF:
The WDTs are diverse from the ...