This figure illustrates the secondary risks due to automation.

The original design

In the original design, the operator controlled the boiler temperature, using an On-Off switch, based on LED indication of the boiler temperature.

This design appeared to be error prone, because the operators might not always have the required mental resources to handle situations of overheating. It also fault-prone, as the operators might not be aware of burnt LED and of malfunction of the On-Off switch.

Resilience add-ons

The improved design is by adding safety add-ons:

• A thermostat, replacing the operator role as a controller
• An alarm unit, enabling the operator role as a supervisor
• Rule-based detection of overheating, due to unexpected faults, such as that of the On-Off switch.

Secondary risks

The secondary risks are due to the resilience add-ons:

• Malfunction of the thermostat or the alarm
• Malfunction of the operator as a supervisor (automation addiction)/

Updated on 21 Jul 2016.