| Warning patterns |
Consider
the example of a tank used for some chemical processing, with sensors for
temperature, pressure and PH. The result of hazard analysis may indicate that
leakage from one of the valves should raise the temperature and pressure and
lower the PH. If the save valve is stuck closed, the temperature should raise
and the pressure and PH should get lower values. Similar data, with different
results, may be obtained about other valves. If the tank leaks, the temperature
and pressure may decrease and the PH would remain unchanged. What we get is a
map of trends in sensor data due to hazards. We can use this map at run time to
direct the operator to the source of warning messages. |
| Sensor reliability |
What if one
of the sensors get stuck? In safety-critical systems the system should trace
the changes in the sensors and notify on sensors that always give the same values. |
| Repeating
exceptional states |
When an exceptional state repeats, the
feedback message becomes annoying. Developers are often tempted to replace the
feedback message by beeps, which are less annoying, or to just ignore the
event. This kind of response is risky, because the operator might not know the
reason for ignoring the action, and might not know that the system is in an
exceptional state. A safer approach is identify the annoying exceptional states
and include them as new scenarios in the state model, and then to specify the
system response according to the operators’ tasks.
|