To enforce staying in the design
scope, the design should restrict and control the acceptable events when in
The guidelines in this section enable you to enhance the system safety by Constraining the situation to always remain in the design scope .
This defense imposes requirements for setting the rules about the acceptable operators activity.
According to the Protection model, escalation is the result of getting out of the design scope.
To enforce staying in the design
scope, the design should restrict and control the acceptable events when in
The only events that
may be received when in exceptional
situations are those required to resume
routine operation and to keep the
system alive.
In case of
emergency,
the design should check that the
system remains in the
design scope. Otherwise,
the system should use a safety net, which implies operating in
emergency
mode. (Zonnenshain
& Harel, 2013,
download ).
Escalation detection is based on the recommended architecture. The rules used for detecting escalation are those used to define the design scope.
Updated on 28 Jun 2016.