Safety critical systems, such as, for example, nuclear power stations and civilian aircraft are designed to safety standards. Safety standards may be set by national or international regulators, standard-setting bodies or certification agencies, for example. Safety standards may be defined for industries as a whole, for system classes or for individual systems, for example. Even in the absence of formal safety standards, equipment in a system may be designed with safety rules when this is seen as desirable, for example to protect biodiversity.
A fission reactor, for example, must be designed and constructed in a way that enables operators to control its functioning. Such controlling may comprise, if necessary, causing the reactor to transition to a managed idle state when instructed. Such an idle state may comprise a state where fission reactions are subcritical and decay heat is removed from the reactor core to prevent its overheating, which might otherwise damage the core of the reactor, potentially leading to release of radionuclides.
A civilian aircraft, on the other hand, may be safely operated only in case the aircraft can be reliably flown even when aircraft systems develop fault conditions. For example, in case a flight computer develops a fault, pilots must be able to continue providing meaningful control inputs to the aircraft to continue its safe flight.
To obtain safe operability in safety-critical systems, components comprised in such systems may be associated with safety conditions. For example, a flight computer may be made redundant, wherein an aircraft may be furnished with a plurality of flight computers, each individually being capable of controlling the flight. In this case, redundancy is a safety condition associated with the flight computer. In case of a fault condition in one of the flight computers, another one of the flight computers may assume the task of controlling the flight, the faulty flight computer being set to an inactive state.
In conventional systems, in case a component is replaced and the component is associated with a safety condition, then the replacement component becomes associated with the safety condition as well. This occurs since the safety condition operates on the component level. In some systems, replacing a component may be constrained to a replacement part that to a maximum extent possible resembles the replaced part.