Child nodes:
[NB. No account has been taken of other activities or ageing processes which could add to the total frequency of demand on the safety function. In a 'real' safety case this should be done.]
The conservative consequence of an accident from either hazard (collision or splash) progressing to an accident is 0 mSv for the general public and <2 mSv for a local on-site worker. Assuming that the liquor is only from the top 5 cm of the surface of the pond.
The general public would be entirely unaffected because the hazards would involve relatively small volumes of pond liquor which, in the case of the liquor is contained by a pond bund.
The unmitigated failure rate of the robot has been shown to be <2 pdfy for each of the 2 hazards (A1.4.3.3.4.4.3.1.2.1 - Analysis indicates that the failure rate is acceptable) (i.e. total 4 pdfy) and it is argued that this is acceptable (blue circle in the diagram below)
SIL4 components (switches and relays) have been used in a 1oo4 architecture.
The diverse, independent and partially segregated SIF has a failure rate of 1E-4 pfd.
NB. This SIF failure rate is considered to be difficult to attain; even with SIL 4 components and a 1oo4 architecture. Therefore, a challenge could be mitigated with an additional SIF constructed from a (analogue) sonar sensor formed to be short range and only in the direction of motion. On detecting an obstacle in its path the propeller power would be cut.
Consequently, the residual likelihood of the hazard progressing to an accident is 4E-4 pdfy (green circle in the diagram below)