BGG
I think we are mostly in agreement and I understand the cost implications if you looked for a wholly fail safe system. However, I think that many system hazards may be masked by the use of the operator figure. If you remove that element from the hazard analysis it would highlight the weaker areas of design. I'm not suggesting this as an approach to design rather to find a method of turning the tones during independent review.
regards
retard