Evidence E1.2.2.3.3.4.4.3.2.1.1.1.1.2.4.1 Design Justification Report (DJR)

• Is evidence for Argument: A1.2.2.3.3.4.4.3.2.1.1.5 The safe state actuation is simple
• Is evidence for Argument: A1.2.2.3.3.4.4.3.2.1.1.1.1.2.4 Symbolic AI: Formal methods have been used to provide better assurance than review and informal analyses
• Is evidence for Argument: A1.2.2.3.3.4.4.3.2.1.1.1.1.3 A process which is commensurate with IEC 61508 based on the claim made on the SIF's SSCs has been followed and independently reviewed
• Is evidence for Argument: A1.2.2.3.3.4.4.3.2.1.2.2.4 Environmental monitor Diverse and independent monitors have been designed to use data from the input domain (sensors) to constrain the robot's capabilities to that of the defined environmental operational envelope by applying identified fail safe states.
• Is evidence for Argument: A1.2.2.3.3.4.4.3.2.1.1.2.2 An appropriate level of independence has been applied for the classification of this SSC
• Is evidence for Argument: A1.2.2.3.3.4.4.3.2.1.1.3.1 A combination of analyses has shown that the SIF's SSC meets its reliability targets
• Is evidence for Argument: A1.2.2.3.3.4.4.3.2.1.1.2.1 An appropriate level of independent oversight has been performed for the classification of this SSC
• Is evidence for Argument: A1.2.2.3.3.4.4.3.2.1.2.2.2 Operational Monitor Diverse and independent monitors have been designed to use data from the input (sensors) and output (actuators) domain to constrain the robot's capabilities to that of the defined operational envelope by applying identified fail safe states.
• Is evidence for Argument: A1.2.2.3.3.4.4.3.2.1.1.4.1 The SIS, of which the SIF is part, is adequately safe and has been justified to the same level as the Class of this SIF, except for the Image Classifier, where a diverse sensor ((Intelligent) Collision Sensor) is used; therefore, the SIF is adequately diverse, independent and segregated
• Is evidence for Argument: A1.2.2.3.3.4.4.3.2.2.1 Collision hazard mitigation SIF are linked to the system level requirements and have been shown to be complete, unambiguous (SMART)
• Is evidence for Argument: A1.2.2.3.3.4.4.3.2.1.2.2.3 Health Monitor Diverse and independent monitors have been designed to identify excursions from the robot system's 'normal' internal operating health envelope to constrain the robot's capabilities to that of the defined operational envelope by applying identified fail safe states.
• Is evidence for Argument: A1.2.2.3.3.4.4.3.2.1.2.1 The (Complex) Collision Sensor is diverse from that of the image classification (sub-symbolic AI) and is verifiable
• Is evidence for Argument: A1.2.2.3.3.4.4.3.2.1.2.2.1 Watch Dog Timers (WDT) have been employed to place the the robot in a safe state if the processing freezes
• Is evidence for Argument: A1.2.2.3.3.4.4.3.2.1.1.6.1 The SIF has undergone functional and non-functional testing which has confirmed its operation according to its requirements specification

Child nodes: