Argument: A1.2.2.3.3.4.4.3.2.1.1 - Design and implementation of the Collision Avoidance SIF is adequate to prevent collision because...

Argument A1.2.2.3.3.4.4.3.2.1.1 Design and implementation of the Collision Avoidance SIF is adequate to prevent collision because...

Parent nodes:

Is a subclaim of Claim: C1.2.2.3.3.4.4.3.2.1 The system is adequate to prevent collision

Child nodes:

Has subclaim Claim: C1.2.2.3.3.4.4.3.2.1.1.6 The SIF meets its functional and non functional requirements
Has subclaim Claim: C1.2.2.3.3.4.4.3.2.1.1.2 The level of independence and independent oversight has been determined and achieved
Has subclaim Claim: C1.2.2.3.3.4.4.3.2.1.1.4 The SIF's SSCs comply with SFC and contain adequate diversity, independence and segregation
Has subclaim Claim: C1.2.2.3.3.4.4.3.2.1.1.3 Probabilistic analyses have shown that the SIF has a failure rate commensurate with the requirements
Has subclaim Claim: C1.2.2.3.3.4.4.3.2.1.1.1 A suitable design and implementation lifecycle has been followed for software, firmware and hardware
Has support Argument: A1.2.2.3.3.4.4.3.2.1.1.5 The safe state actuation is simple

Requirements for the Collision Avoidance SIF have been derived from the system functional and non-functional safety requirements and verified.

NB. The requirements should include the remediation action. i.e. how to recover from the safe state.

The design and implementation of the Collision Avoidance SIF has followed a safety lifecycle model commensurate with IEC 61508. The guard has been designed and verified independently (explain what that independence is).

An analysis has shown that a combination of:

the maximum speed that the robot is capable of moving (this may need to be governed unless it can be shown that it is impossible to exceed the speed),
the mass of the robot
the distance between detection and collision
the maximum drift distance and deceleration once power is cut to the propellers

results in a maximum (worst case) impact energy plus a n% margin which is less than that which the hazard analysis shows to be unsafe.

Probabilistic analyses (Failure Modes and Effects Criticality Analysis (FMECA), SIL calc's and Safe Failure Fractions (SFF)) have been conducted for the SIF and shown to have a failure rate commensurate with the requirements. This analysis has also shown that a burn in of n cycles is required prior to first use.

The Collision Avoidance SIF will enter its safe state if its power or that of the (intelligent) control system fails.

The Collision Avoidance SIF sensor, actuator and their interfaces to the decision making system has been functionally tested with 100% coverage.

The guard has been tested to confirm it meets its non-functional requirements, including:

Performance test
The guard has been shown to be EMC compliant (analysis and test).
The guard has been shown to be resilient to the environment (analysis and test).

An analysis has shown that a Collision Avoidance SIF documented proof testing regime is mandated every n operating hours / before each deployment / every n years.