Failure models

The failure models enable to to predict and analyze risky situations by situation-oriented failure analysis, namely in terms of the the system situation and design scope.

There are many explanations for the source of system failures. Few of them are:

Organizational factors (e.g. Reason, 1997 ; Dekker, 2006 ).
Complexity (e.g. Perrow, 1984 )
Extreme operational conditions (e.g. Hollnagel et al., 2006 ; Weiler & Harel, 2011 )
Human errors (e.g. Norman, 1983 )
Quality of requirement specification (e.g. Robert et al., 1998 ; Leveson, 2012 )
Quality of the implementation (e.g., Weinberg, 1971 ; Norman, 1990 )
Mismatch with the operational context (e.g. Zonnenshain and Harel, 2009 ).

Root-cause analysis of many case studies reveals the following activity pattern ending up in failure:

Latent hazards: the operators are not aware of an exceptional situation, such as a component failure or inconsistent system state, due to missing or wrong indication. In the TMI accident, the system did not provide indication about the wrong state of five components, and provided wrong indication about the state of the PORV, which was critical for handling the situation ( Perrow, 1984 ). Related terms are latent failures and later conditions ( Eurocontrol, 2006 ).
Delay in the recovery procedure: the operators do not complete the troubleshooting and the recovery procedure in time (As in the TMI accident).
Leaks (holes ) in the firewalls in the design scope .