[SystemSafety] HMI and TMI ("Three Mille Island", not "Too Much Information")

Steve Tockey Steve.Tockey at construx.com
Wed Jul 15 18:28:32 CEST 2015


When I worked on one safety-critical system (laser isotope separation for purification of Plutonium), the rule was we had to have two indicators for each device—like a valve. One indicator was the commanded state: open vs. closed. The other indicator was actual state: again, open vs. closed. The indicators were adjacent so the operator could see instantly what commanded state and actual state were.

That way, the complete loop was visible to the operator (assuming the sensing instrumentation was operating correctly…).



From: <systemsafety-bounces at lists.techfak.uni-bielefeld.de<mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de>> on behalf of robert schaefer <rps at haystack.mit.edu<mailto:rps at haystack.mit.edu>>
Date: Wednesday, July 15, 2015 5:38 AM
To: "systemsafety at lists.techfak.uni-bielefeld.de<mailto:systemsafety at lists.techfak.uni-bielefeld.de>" <systemsafety at lists.techfak.uni-bielefeld.de<mailto:systemsafety at lists.techfak.uni-bielefeld.de>>
Subject: [SystemSafety] HMI and TMI ("Three Mille Island", not "Too Much Information")


If I remember correctly, one of the problems that led to the meltdown at TMI was that the HMI reported the state of
the valves as commanded and not as they actually were. Expressed as a design flaw, the man-machine system
feedback loop was incomplete.

Just curious, how would avoiding system loop design flaws be expressed formally?

----------------------------------------
robert schaefer
Atmospheric Sciences Group
MIT Haystack Observatory
Westford, MA 01886




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20150715/adcd01f1/attachment.html>


More information about the systemsafety mailing list