Re: [SystemSafety] HMI and TMI ("Three Mille Island", not "Too Much Information")

From: Steve Tockey < >
Date: Wed, 15 Jul 2015 16:28:32 +0000

When I worked on one safety-critical system (laser isotope separation for purification of Plutonium), the rule was we had to have two indicators for each device—like a valve. One indicator was the commanded state: open vs. closed. The other indicator was actual state: again, open vs. closed. The indicators were adjacent so the operator could see instantly what commanded state and actual state were.

That way, the complete loop was visible to the operator (assuming the sensing instrumentation was operating correctly…).

Date: Wednesday, July 15, 2015 5:38 AM
Subject: [SystemSafety] HMI and TMI ("Three Mille Island", not "Too Much Information")

If I remember correctly, one of the problems that led to the meltdown at TMI was that the HMI reported the state of the valves as commanded and not as they actually were. Expressed as a design flaw, the man-machine system feedback loop was incomplete.

Just curious, how would avoiding system loop design flaws be expressed formally?

robert schaefer
Atmospheric Sciences Group
MIT Haystack Observatory
Westford, MA 01886

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Wed Jul 15 2015 - 18:28:42 CEST

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:07 CEST