MIT Prof. Nancy Leveson claims 40 years of experience with systems and from this perspective disagrees with Safety-II point by point for 100 pages. pdf 
Ward is not involved in this argument, but thought he should turn to page 86 and see what she says about systems in general. Here, as so often before, he was disappointed.
> The simplest example that most everyone is familiar with is a thermostat. The thermostat is provided with a setpoint and gets feedback about the current temperature in the controlled space. If the temperature is below the setpoint, then heat is applied until feedback (sensors) show that the setpoint has been reached. Then the application of heat is discontinued.
But, Ward continues, "that is not how a bi-metal home-heating thermostat works. The control is analog, not binary, where ambient temperature modulates a pulse duty cycle. […]"
**Note**: The author, Nancy Leveson, is not at all concerned with bimetallic devices and how temperature is measured. And we use mechanical radiator thermostats page (de) over here, that, unlike bimetallic devices page (de) , adjust the power of the heating surfaces to the demand.
> This is because while thermostats on the radiator reduce or increase the flow of heating water step by step according to the room temperatures, bimetallic devices only know the states "On" or "Off".
Ward seems to add a lot of Accidental Complexity (to help remain disappointed?). His statement: "[…] ambient temperature modulates a pulse duty cycle. […]" is nevertheless very interesting, if we subtract the annoyance with the woman.
Bimetallic Devices
Uploaded image
The classic circular dial manual thermostat includes a model of household heating dynamics implemented with an adjustable ambient-temperature sensitive relaxation-oscillator. This includes a heating element operating on the bi-metal sensor directly within the dial assembly itself. This part of the system is appropriately called the "heat anticipator". A rheostat adjusts the system cycle time which in all cases is faster than the whole-house thermal time constant.
We can identify two control loops. First the slow loop where ambient temperature (blue) controls fuel combustion (pink). A second fast loop (green) is the heat anticipator which oscillates independently of fuel combustion producing a pulse train that ambient air modulates.
digraph { node [shape=box style=filled] node [fillcolor=lightblue] Ambient -> Coil [label=emersion] Coil -> Tilt [label=expansion] Tilt -> Mercury [label=slope] Mercury -> Tilt [label=gravity] Mercury -> Switch [label=conductance] Setting -> Tilt [label=rotation] node [fillcolor=pink] Switch -> Solenoid [label=current] Voltage -> Solenoid [label=current] AC -> Voltage [label=transformer] Solenoid -> Combustion [label=fuel] Combustion -> Ambient [label=mass] node [fillcolor=lightgreen] Switch -> Wiper [label=current] Wiper -> Resistance [label=turns] Resistance -> Heat [label=ohmic] Heat -> Coil [label=proximity] Lever -> Wiper [label=mechanical] Scale -> Lever [label=legend] Ampere -> Scale [label=ticks] Longer -> Scale [label=direction] Shorter -> Scale [label=direction] Solenoid -> Ampere [label=rating] }
Click nodes for details.
Notice that the home owner has two controls: the setting for preferred ambient and the lever for shorter or longer furnace cycling.