A key concept emerging from the analysis of celebrated accidents is that of latent hazards. The problem of latent hazards was demonstrated in many accidents, such as that of the TMI. In that accident several valves did not function properly, due to operator's negligence or to mechanical failure.

One of the most challenging goals of resilience assurance is to prevent latent hazards. Latent hazards can be the result of component failure, operational error, software bug, misinformation about inconsistent state transition or about communication problems, etc. If the operators are not aware of the hazard, they might become aware of it only after it is too late, when the incidence materializes.

To prevent latent hazards, we need to specify rules about proper system operation, and we need to program the control unit to trace the operational state, to verify compliance with the context (operational scenario) and to alert in case of violation.

The guide recommends that a special control unit is allocated for detecting deviations from the design rules, such as those due to component failure. The control unit can check compliance of the operational activity with the operational procedures, according to the STAMP paradigm, and inform the alarm unit in cases of deviations from the constraints.

Related topic

Updated on .