Child nodes:
Requirements for the guard have been derived from the system functional and non-functional safety requirements and verified.
NB. The requirements should include the remediation action. i.e. how to recover from the safe state.
The design and implementation of the guard has followed a safety lifecycle model commensurate with IEC 61508. The guard has been designed and verified independently (explain what that independence is).
An analysis has shown that a combination of:
results in a maximum (worst case) impact energy plus a n% margin which is less than that which the hazard analysis shows to be unsafe.
Probabilistic analyses (Failure Modes and Effects Criticality Analysis (FMECA), SIL calc's and Safe Failure Fractions (SFF)) have been conducted for the guard and shown to have a failure rate commensurate with the requirements. This analysis has also shown that a burn in of n cycles is required prior to first use.
The guard is diverse, independent (except for its power supply) and segregated from the (intelligent) control system. The design and implementation does not contain any programmable elements and is based on the actuation of micro switches by 'whiskers' placed around the robot which in-turn actuate relays cutting power to the propellers (the safe state). The guard will enter its safe state if its power or that of the (intelligent) control system fails.
The guard has been functionally tested with 100% coverage.
The guard has been tested to confirm it meets its non-functional requirements, including: