All system components are liable to fail. In the design of warning systems, we need to consider all possible circumstances, such as a failure in a sensor or in the alarm system, and the failure of the operator to perceive the alarm (Weiler & Harel, 2011, download ...).

System designers are always under pressure to reduce the system complexity, in order to reduce its price, and to facilitate procedures for construction, installation, and maintenance. Typically, the stakeholders are not willing to give up functionality, and they incline to give up components used for resilience assurance: sensors, displays, indications, and sound alarms.

A first question that a designer should consider regarding adding a failure indicator is:

If those instances might issue a problem, then the second question is:

MTBF is a statistics. What if the component happens to live in the tail of the distribution? Will the stakeholders tolerate black swans due to such failures?

If the stakeholders may tolerate a latent failure associated with the component, then it might be the case that the component is not essential for the system operation. It may be redundant, and it is a good idea to simplify the system by removing the component, and the associated functions, from the system design. Otherwise, if the stakeholders might be furious about a latent hazard, the design should provide means to detect it and to report about it.

Related topic

Updated on 10 May 2016.