The design should not tolerate the option of mishaps. Risky situations should be expected and the design should include means to protect from these risks.
Theoretical, risks due to exceptional events can be managed based on prediction of the probability and hazards of potential hazards.
The methods for risk management are applicable to hazards that repeated in the past, so that we have estimates of their probability and threat.
However, often the event follow ing the exceptional event is unexpected, and the data required to get these estimates is absent ( Taleb, 2007 ). When dealing with potential events that did not materialize yet, we have no choice other than to rely on models of system failure. This method was demonstrated by Weiler and Harel (2011) .
Primary risks are about hazards that hamper safe operation. The add-ons enable preventing these hazards. A fault in an add-on is not critical, namely, it does not hamper safe operation immediately when it happens. In the design of resilient systems it is required that faults in the add-ons is detected and fixed routinely, to always prevent primary risks.
Updated on 05 Apr 2017.