Abstract
This paper gives four types of alarm subsystem configurations which include fault-alerting and safety-presentation types, where two.kinds of correspondence between sensor states and plant states are distinguished. For each configuration, we give a probabilistic analysis on fail-safe (FS) failures and fail-dangerous (FD) failures. We prove that we can have an optimal alarm subsystem which minimizes FS and FD failures probabilities simultaneously by choosing a human-machine interface configuration and an associated safety-control policy in an appropriate manner.