*4.5. Fault Management*

Analyzing the episode of the aforementioned failure events for causes and effects, the design and control logics can be refined for better durability. In the final failure, it commenced when a stack had an abnormality and was turned off, whereby the abnormal stack stopped generating power and started sinking the heat from other stacks causing the EMS to make wrongful judgments that led to other flooding failures successively. While the logic of the aggressive fault tolerant auto-recovery feature is still under development, a conservative fault-management strategy could be preferred during the verification to reduce the risk of chained faults. In the case of any stack failure, just shut down the station, and send a notification of abnormality for forensic investigation, maintenance, and improvements.
