[SystemSafety] Fwd: Re: HMI and TMI ("Three Mille Island", not "Too Much Information")

Peter Bernard Ladkin ladkin at rvs.uni-bielefeld.de
Wed Jul 15 15:04:59 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 2015-07-15 14:38 , robert schaefer wrote:
> 
> .. Expressed as a design flaw, the man-machine system feedback loop was incomplete.
> 
> Just curious, how would avoiding system loop design flaws be expressed formally?

It depends on the system and what kind of flaw you might have in mind. To my mind, it's a bit like
asking a mathematician how you prove a theorem in algebra. It mostly depends on the theorem.

One way of doing it in this case would be to have a specification which says (*) <the valve is
indicated closed> only if <certain failure modes> OR <the valve is closed>. And specifications of
all the components in the causal chain from closed-valve-indicator to closed valve and maybe some
others. And then you'd assume the subcomponent specifications are correct and fulfilled and prove
(*), thereby incurring the obligations to show the subcomponent specifications correct and
fulfilled. If there are people in that causal chain, you write down their procedures formally as
you would that of any other active component, and generally assume they are correctly executed for
the purposes of conducting the verification.

PBL

Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de




-----BEGIN PGP SIGNATURE-----

iQEcBAEBCAAGBQJVplp7AAoJEIZIHiXiz9k+k8QH/j3oB21Rc0UcDcJw/BWOA8o/
SROMIR1/rDO7awXf+ThCqO0BO85szjFuZRvfCU84/FndaodWcpUvDv7ms2bk+Eq8
SUlgd3uP7AaTgyDG/LWf0QDJB+oV4Rhttuu5nl0jayBpaklx9po31vJ8OkdG6KgJ
kI1P3UeAZhumTLjd5aWKPpc/WsFwhsSNRX7Foa0ctnrgw4tm1b1GhpLqFbf05J/y
k6iZdRxthje/GIJ6ThuDW9vSdrcvQGhVX53rFrwGpFgdhtn2GK0qeurJjdKtoBM4
fuTYHeakv157swFBngPINioDQ4DT8HEPtixntrq2qKZW40slmf1YsF8Ns8Z3kvQ=
=Az/T
-----END PGP SIGNATURE-----


More information about the systemsafety mailing list