In any well designed work system, numerous precautions are taken to protect the actors against occupational risk and the system against major accidents, using a 'defence-in-depth' design strategy. One basic problem is that in such a system having functionally redundant protective defences, a local violation of one of the defences has no immediate, visible effect and then may not be observed in action. In this situation, the boundary of safe behaviour of one particular actor depends on the possible violation of defences by other actors:

Therefore, in systems designed according to the defence-in-depth strategy, the defences are likely to degenerate systematically through time, when pressure toward cost-effectiveness is dominating.

Strategies for protection from crossing the safety boundary

• Increase margin
• Increase awareness about the boundary (safety culture)
• Make boundary explicit: run experiments, actually find out where the boundary is
  • Continuous learning

Combining the last two points can actually be safer than requiring excessive margins which are likely to deteriorate in unpredictable ways under pressure. In other words, Focus on fast detection and response instead of trying to avoid failure.

Concretely, in the context of batteries:

• The boundaries of cell and battery engineering: safety, cost, and performance

Related:

• Resource/safety tradeoff
  • Efficiency—performance—safety tradeoffs in batteries
• Design for failure

References

Risk Management in a Dynamic Society

https://medium.com/10x-curiosity/boundaries-of-failure-rasmussens-model-of-how-accidents-happen-58dc61eb1cf