The additional components required to alert about component failure (sensors, algorithms, displays, sound alarms) are not only costly, but also risky, because they are liable to fail, providing opportunities for new kinds of incidences (as was the case with the PORV failure in the TMI accident).
Fault indicators are liable to fail, and it is important to notify the operators when this happens. It is important to distinguish between the case of component failure and that of indicator failure. The guide recommends adding secondary indication of failure for each of the primary indicators, and provides tips for adding the secondary indicators without adding to the system complexity, by coding. Typically, when the indicator fails, it does not send signals to the control unit. Therefore, a most effective way to detect faults in the indicators is by designing the indicators such that they always send signals about the component state, whether it functions properly or not.
Updated on 26 Oct 2016.