If I remember correctly, one of the problems that led to the meltdown at TMI was that the HMI reported the state of the valves as commanded and not as they actually were. Expressed as a design flaw, the man-machine system feedback loop was incomplete.

Just curious, how would avoiding system loop design flaws be expressed formally?

