12.1 The response of any back-up equipment, or
any corrective action initiated at a given system level to prevent
or reduce the effect of the failure mode of a system element or equipment,
shall also be identified and evaluated.
12.2 Provisions which are features of the design
at any system level to nullify the effects of a malfunction or failure,
such as controlling or deactivating system elements to halt generation
or propagation of failure effects, or activating back-up or standby
items or systems, shall be described. Corrective design provisions
include:
-
.1 redundancies that allow continued and safe
operation;
-
.2 safety devices, monitoring or alarm provisions,
which permit restricted operation or limit damage; and
-
.3 alternative modes of operation.
12.3 Provisions which require operator action
to circumvent or mitigate the effects of the postulated failure shall
be described. The possibility and effect of operator error shall be
considered, if the corrective action or the initiation of the redundancy
requires operator input, when evaluating the means to eliminate the
local failure effects.
12.4 It shall be noted that corrective responses
acceptable in one operational mode may not be acceptable at another,
e.g., a redundant system element with considerable time lag to be
brought into line, while meeting the operational mode "normal seagoing
conditions at full speed" may result in a catastrophic effect in another
operational mode, e.g., "maximum permitted operating speed in congested
water".