Fail-safe

Last updated May 02, 2024

In engineering, a fail-safe is a design feature or practice that, in the event of a failure of the design feature, inherently responds in a way that will cause minimal or no harm to other equipment, to the environment or to people. Unlike inherent safety to a particular hazard, a system being "fail-safe" does not mean that failure is impossible or improbable, but rather that the system's design prevents or mitigates unsafe consequences of the system's failure. That is, if and when a "fail-safe" system fails, it remains at least as safe as it was before the failure.^[1]^[2] Since many types of failure are possible, failure mode and effects analysis is used to examine failure situations and recommend safety design and procedures.^[3]

Examples

Mechanical or physical

Examples include:

Roller-shutter fire doors that are activated by building alarm systems or local smoke detectors must close automatically when signaled regardless of power. In case of power outage the coiling fire door does not need to close, but must be capable of automatic closing when given a signal from the building alarm systems or smoke detectors. A temperature-sensitive fusible link may be employed to hold the fire doors open against gravity or a closing spring. In case of fire, the link melts and releases the doors, and they close.
Some airport baggage carts require that the person hold down a given cart's handbrake switch at all times; if the handbrake switch is released, the brake will activate, and assuming that all other portions of the braking system are working properly, the cart will stop. The handbrake-holding requirement thus both operates according to the principles of "fail-safety" and contributes to (but does not necessarily ensure) the fail-security of the system. This is an example of a dead man's switch .
Lawnmowers and snow blowers have a hand-closed lever that must be held down at all times. If it is released, it stops the blade's or rotor's rotation. This also functions as a dead man's switch.
Air brakes on railway trains and air brakes on trucks. The brakes are held in the "off" position by air pressure created in the brake system. Should a brake line split, or a carriage become uncoupled, the air pressure will be lost and the brakes applied, by springs in the case of trucks, or by a local air reservoir in trains. It is impossible to drive a truck with a serious leak in the air brake system. (Trucks may also employ wig wags to indicate low air pressure.)
Motorized gates – In case of power outage the gate can be pushed open by hand with no crank or key required. However, as this would allow virtually anyone to go through the gate, a fail-secure design is used: In a power outage, the gate can only be opened by a hand crank that is usually kept in a safe area or under lock and key. When such a gate provides vehicle access to homes, a fail-safe design is used, where the door opens to allow fire department access.
Safety valves – Various devices that operate with fluids use fuses or safety valves as fail-safe mechanisms.

A railway semaphore signal is specially designed so that, should the cable controlling the signal break, the arm returns to the "danger" position, preventing any trains passing the inoperative signal.
Isolation valves, and control valves, that are used for example in systems containing hazardous substances, can be designed to close upon loss of power, for example by spring force. This is known as fail-closed upon loss of power.
An elevator has brakes that are held off brake pads by the tension of the elevator cable. If the cable breaks, tension is lost and the brakes latch on the rails in the shaft, so that the elevator cabin does not fall.
Vehicle air conditioning – Defrost controls require vacuum for diverter damper operation for all functions except defrost. If vacuum fails, defrost is still available.

Electrical or electronic

Examples include:

Many devices are protected from short circuit by fuses, circuit breakers, or current limiting circuits. The electrical interruption under overload conditions will prevent damage or destruction of wiring or circuit devices due to overheating.
Avionics ^[5] using redundant systems to perform the same computation using three different systems. Different results indicate a fault in the system.^[6]
Drive-by-wire and fly-by-wire controls such as an Accelerator Position Sensor typically have two potentiometers which read in opposite directions, such that moving the control will result in one reading becoming higher, and the other generally equally lower. Mismatches between the two readings indicates a fault in the system, and the ECU can often deduce which of the two readings is faulty.^[7]
Traffic light controllers use a Conflict Monitor Unit to detect faults or conflicting signals and switch an intersection to an all flashing error signal, rather than displaying potentially dangerous conflicting signals, e.g. showing green in all directions.^[8]
The automatic protection of programs and/or processing systems when a computer hardware or software failure is detected in a computer system. A classic example is a watchdog timer. See Fail-safe (computer).
A control operation or function that prevents improper system functioning or catastrophic degradation in the event of circuit malfunction or operator error; for example, the failsafe track circuit used to control railway block signals. The fact that a flashing amber is more permissive than a solid amber on many railway lines is a sign of a failsafe, as the relay, if not working, will revert to a more restrictive setting.
The iron pellet ballast on the Bathyscaphe is dropped to allow the submarine to ascend. The ballast is held in place by electromagnets. If electrical power fails, the ballast is released, and the submarine then ascends to safety.
Many nuclear reactor designs have neutron-absorbing control rods suspended by electromagnets. If the power fails, they drop under gravity into the core and shut down the chain reaction in seconds by absorbing the neutrons needed for fission to continue.
In industrial automation, alarm circuits are usually "normally closed". This ensures that in case of a wire break the alarm will be triggered. If the circuit were normally open, a wire failure would go undetected, while blocking actual alarm signals.
Analog sensors and modulating actuators can usually be installed and wired such that the circuit failure results in an out-of-bound reading – see current loop. For example, a potentiometer indicating pedal position might only travel from 20% to 80% of its full range, such that a cable break or short results in a 0% or 100% reading.
In control systems, critically important signals can be carried by a complementary pair of wires (<signal> and <not_signal>). Only states where the two signals are opposite (one is high, the other low) are valid. If both are high or both are low the control system knows that something is wrong with the sensor or connecting wiring. Simple failure modes (dead sensor, cut or unplugged wires) are thereby detected. An example would be a control system reading both the normally open (NO) and normally closed (NC) poles of a SPDT selector switch against common, and checking them for coherency before reacting to the input.
In HVAC control systems, actuators that control dampers and valves may be fail-safe, for example, to prevent coils from freezing or rooms from overheating. Older pneumatic actuators were inherently fail-safe because if the air pressure against the internal diaphragm failed, the built-in spring would push the actuator to its home position – of course the home position needed to be the "safe" position. Newer electrical and electronic actuators need additional components (springs or capacitors) to automatically drive the actuator to home position upon loss of electrical power.^[9]
Programmable logic controllers (PLCs). To make a PLC fail-safe the system does not require energization to stop the drives associated. For example, usually, an emergency stop is a normally closed contact. In the event of a power failure this would remove the power directly from the coil and also the PLC input. Hence, a fail-safe system.
If a voltage regulator fails, it can destroy connected equipment. A crowbar (circuit) prevents damage by short-circuiting the power supply as soon as it detects overvoltage.

Procedural safety

An aircraft lights its afterburners to maintain full power during an arrested landing aboard an aircraft carrier. If the arrested landing fails, the aircraft can safely take off again. FA-18-Afterburners.jpg — An aircraft lights its afterburners to maintain full power during an arrested landing aboard an aircraft carrier. If the arrested landing fails, the aircraft can safely take off again.

As well as physical devices and systems fail-safe procedures can be created so that if a procedure is not carried out or carried out incorrectly no dangerous action results. For example:

Spacecraft trajectory - During early Apollo program missions to the Moon, the spacecraft was put on a free return trajectory — if the engines had failed at lunar orbit insertion, the craft would have safely coasted back to Earth.
The pilot of an aircraft landing on an aircraft carrier increases the throttle to full power at touchdown. If the arresting wires fail to capture the aircraft, it is able to take off again; this is an example of fail-safe practice.^[10]
In railway signalling signals which are not in active use for a train are required to be kept in the 'danger' position. The default position of every controlled absolute signal is therefore "danger", and therefore a positive action — setting signals to "clear" — is required before a train may pass. This practice also ensures that, in case of a fault in the signalling system, an incapacitated signalman, or the unexpected entry of a train, that a train will never be shown an erroneous "clear" signal.
Railroad engineers are instructed that a railway signal showing a confusing, contradictory or unfamiliar aspect (for example a colour light signal that has suffered an electrical failure and is showing no light at all) must be treated as showing "danger". In this way, the driver contributes to the fail-safety of the system.

Other terminology

Fail-safe (foolproof) devices are also known as poka-yoke devices. Poka-yoke, a Japanese term, was coined by Shigeo Shingo, a quality expert.^[11]^[12] "Safe to fail" refers to civil engineering designs such as the Room for the River project in Netherlands and the Thames Estuary 2100 Plan^[13]^[14] which incorporate flexible adaptation strategies or climate change adaptation which provide for, and limit, damage, should severe events such as 500-year floods occur.^[15]

Fail safe and fail secure

Fail-safe and fail-secure are distinct concepts. Fail-safe means that a device will not endanger lives or property when it fails. Fail-secure, also called fail-closed, means that access or data will not fall into the wrong hands in a security failure. Sometimes the approaches suggest opposite solutions. For example, if a building catches fire, fail-safe systems would unlock doors to ensure quick escape and allow firefighters inside, while fail-secure would lock doors to prevent unauthorized access to the building.

The opposite of fail-closed is called fail-open.

Fail active operational

Fail active operational can be installed on systems that have a high degree of redundancy so that a single failure of any part of the system can be tolerated (fail active operational) and a second failure can be detected – at which point the system will turn itself off (uncouple, fail passive). One way of accomplishing this is to have three identical systems installed, and a control logic which detects discrepancies. An example for this are many aircraft systems, among them inertial navigation systems and pitot tubes.

Failsafe point

During the Cold War, "failsafe point" was the term used for the point of no return for American Strategic Air Command nuclear bombers, just outside Soviet airspace. In the event of receiving an attack order, the bombers were required to linger at the failsafe point and wait for a second confirming order; until one was received, they would not arm their bombs or proceed further.^[16] The design was to prevent any single failure of the American command system causing nuclear war. This sense of the term entered the American popular lexicon with the publishing of the 1962 novel Fail-Safe .

(Other nuclear war command control systems have used the opposite scheme, fail-deadly, which requires continuous or regular proof that an enemy first-strike attack has not occurred to prevent the launching of a nuclear strike.)

Related Research Articles

<span class="mw-page-title-main">Fly-by-wire</span> Electronic flight control system

Fly-by-wire (FBW) is a system that replaces the conventional manual flight controls of an aircraft with an electronic interface. The movements of flight controls are converted to electronic signals transmitted by wires, and flight control computers determine how to move the actuators at each control surface to provide the ordered response. Implementations either use mechanical flight control backup systems or else are fully electronic.

A relay is an electrically operated switch. It consists of a set of input terminals for a single or multiple control signals, and a set of operating contact terminals. The switch may have any number of contacts in multiple contact forms, such as make contacts, break contacts, or combinations thereof.

A railway air brake is a railway brake power braking system with compressed air as the operating medium. Modern trains rely upon a fail-safe air brake system that is based upon a design patented by George Westinghouse on April 13, 1869. The Westinghouse Air Brake Company was subsequently organized to manufacture and sell Westinghouse's invention. In various forms, it has been nearly universally adopted.

A thermostat is a regulating device component which senses the temperature of a physical system and performs actions so that the system's temperature is maintained near a desired setpoint.

A safety-critical system or life-critical system is a system whose failure or malfunction may result in one of the following outcomes:

On trains, the expression emergency brake has several meanings:

In electrical signalling an analog current loop is used where a device must be monitored or controlled remotely over a pair of conductors. Only one current level can be present at any time.

Drive by wire or DbW technology in the automotive industry is the use of electronic or electro-mechanical systems in place of mechanical linkages that control driving functions. The concept is similar to fly-by-wire in the aviation industry. Drive-by-wire may refer to just the propulsion of the vehicle through electronic throttle control, or it may refer to electronic control over propulsion as well as steering and braking, which separately are known as steer by wire and brake by wire, along with electronic control over other vehicle driving functions.

In engineering and systems theory, redundancy is the intentional duplication of critical components or functions of a system with the goal of increasing reliability of the system, usually in the form of a backup or fail-safe, or to improve actual system performance, such as in the case of GNSS receivers, or multi-threaded computer processing.

A track circuit is an electrical device used to prove the absence of a train on rail tracks to signallers and control relevant signals. An alternative to track circuits are axle counters.

A damper is a valve or plate that stops or regulates the flow of air inside a duct, chimney, VAV box, air handler, or other air-handling equipment. A damper may be used to cut off central air conditioning to an unused room, or to regulate it for room-by-room temperature and climate control - for example, in the case of Volume Control Dampers. Its operation can be manual or automatic. Manual dampers are turned by a handle on the outside of a duct. Automatic dampers are used to regulate airflow constantly and are operated by electric or pneumatic motors, in turn controlled by a thermostat or building automation system. Automatic or motorized dampers may also be controlled by a solenoid, and the degree of air-flow calibrated, perhaps according to signals from the thermostat going to the actuator of the damper in order to modulate the flow of air-conditioned air in order to effect climate control.

Fault tolerance is the ability of a system to maintain proper operation in the event of failures or faults in one or more of its components. If its operating quality decreases at all, the decrease is proportional to the severity of the failure, as compared to a naively designed system, in which even a small failure can lead to total breakdown. Fault tolerance is particularly sought after in high-availability, mission-critical, or even life-critical systems. The ability of maintaining functionality when portions of a system break down is referred to as graceful degradation.

Building automation (BAS), also known as building management system (BMS) or building energy management system (BEMS), is the automatic centralized control of a building's HVAC, electrical, lighting, shading, access control, security systems, and other interrelated systems. Some objectives of building automation are improved occupant comfort, efficient operation of building systems, reduction in energy consumption, reduced operating and maintaining costs and increased security.

<span class="mw-page-title-main">Axle counter</span>

An axle counter is a system used in railway signalling to detect the clear or occupied status of a section of track between two points. The system generally consists of a wheel sensor and an evaluation unit for counting the axles of the train both into and out of the section. They are often used to replace a track circuit.

An air brake or, more formally, a compressed-air-brake system, is a type of friction brake for vehicles in which compressed air pressing on a piston is used to both release the parking/emergency brakes in order to move the vehicle, and also to apply pressure to the brake pads or brake shoes to slow and stop the vehicle. Air brakes are used in large heavy vehicles, particularly those having multiple trailers which must be linked into the brake system, such as trucks, buses, trailers, and semi-trailers, in addition to their use in railroad trains. George Westinghouse first developed air brakes for use in railway service. He patented a safer air brake on March 5, 1872. Westinghouse made numerous alterations to improve his air pressured brake invention, which led to various forms of the automatic brake. In the early 20th century, after its advantages were proven in railway use, it was adopted by manufacturers of trucks and heavy road vehicles.

A control valve is a valve used to control fluid flow by varying the size of the flow passage as directed by a signal from a controller. This enables the direct control of flow rate and the consequential control of process quantities such as pressure, temperature, and liquid level.

Brake-by-wire technology in the automotive industry is the ability to control brakes through electronic means, without a mechanical connection that transfers force to the physical braking system from a driver input apparatus such as a pedal or lever.

A valve actuator is the mechanism for opening and closing a valve. Manually operated valves require someone in attendance to adjust them using a direct or geared mechanism attached to the valve stem. Power-operated actuators, using gas pressure, hydraulic pressure or electricity, allow a valve to be adjusted remotely, or allow rapid operation of large valves. Power-operated valve actuators may be the final elements of an automatic control loop which automatically regulates some flow, level or other process. Actuators may be only to open and close the valve, or may allow intermediate positioning; some valve actuators include switches or other ways to remotely indicate the position of the valve.

A shutdown valve is an actuated valve designed to stop the flow of a hazardous fluid upon the detection of a dangerous event. This provides protection against possible harm to people, equipment or the environment. Shutdown valves form part of a safety instrumented system. The process of providing automated safety protection upon the detection of a hazardous event is called functional safety.

A Diving rebreather is an underwater breathing apparatus that absorbs the carbon dioxide of a diver's exhaled breath to permit the rebreathing (recycling) of the substantially unused oxygen content, and unused inert content when present, of each breath. Oxygen is added to replenish the amount metabolised by the diver. This differs from open-circuit breathing apparatus, where the exhaled gas is discharged directly into the environment. The purpose is to extend the breathing endurance of a limited gas supply, and, for covert military use by frogmen or observation of underwater life, to eliminate the bubbles produced by an open circuit system. A diving rebreather is generally understood to be a portable unit carried by the user, and is therefore a type of self-contained underwater breathing apparatus (scuba). A semi-closed rebreather carried by the diver may also be known as a gas extender. The same technology on a submersible or surface installation is more likely to be referred to as a life-support system.

References

↑ "Fail-safe". AudioEnglich.net. Accessed 2009.12.31
↑ e.g., David B. Rutherford Jr., What Do You Mean It\'s Fail Safe? . 1990 Rapid Transit Conference
↑ Force V: The history of Britain's airborne deterrent, by Andrew Brookes. Jane's Publishing Co Ltd; First Edition 1 Jan. 1982, ISBN 0710602383, p.144.
↑ Bornschlegl, Susanne (2012). Ready for SIL 4: Modular Computers for Safety-Critical Mobile Applications. MEN Mikro Elektronik. Archived from the original (pdf) on 2019-06-09. Retrieved 2015-09-21.
↑ Wragg, David W. (1973). A Dictionary of Aviation (first ed.). Osprey. p. 127. ISBN 9780850451634.
↑ Bornschlegl, Susanne (2012). Ready for SIL 4: Modular Computers for Safety-Critical Mobile Applications. MEN Mikro Elektronik. Archived from the original (pdf) on 2019-06-09. Retrieved 2015-09-21.
↑ "P2138 DTC Throttle/Pedal Pos Sensor/Switch D / E Voltage Correlation". www.obd-codes.com.
↑ Manual on Uniform Traffic Control Devices, Federal Highway Administration, 2003
↑ "When Failure Is Not an Option: The Evolution of Fail-Safe Actuators". KMC Controls. 29 October 2015. Retrieved 12 April 2021.
↑ Harris, Tom (29 August 2002). "How Aircraft Carriers Work". HowStuffWorks, Inc. Retrieved 2007-10-20.
↑ Shingo, Shigeo; Andrew P. Dillon (1989). A study of the Toyota production system from an industrial engineering viewpoint. Portland, Oregon: Productivity Press. p. 22. ISBN 0-915299-17-8. OCLC 19740349
↑ John R. Grout, Brian T. Downs. "A Brief Tutorial on Mistake-proofing, Poka-Yoke, and ZQC", MistakeProofing.com Archived 2016-03-19 at the Wayback Machine
↑ "Thames Estuary 2100 Plan" (PDF). UK Environment Agency. November 2012. Archived from the original (PDF) on 2012-12-10. Retrieved March 20, 2013.
↑ "Thames Estuary 2100 (TE2100)". UK Environment Agency. Retrieved March 20, 2013.
↑ Jennifer Weeks (March 20, 2013). "Adaptation expert Paul Kirshen proposes a new paradigm for civil engineers: 'safe to fail,' not 'fail safe'". The Daily Climate. Archived from the original on May 13, 2013. Retrieved March 20, 2013.
↑ "fail-safe". Dictionary.com. Retrieved November 7, 2021.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Fail-safe". AudioEnglich.net. Accessed 2009.12.31

[2] e.g., David B. Rutherford Jr., What Do You Mean It\'s Fail Safe? . 1990 Rapid Transit Conference

[3] Force V: The history of Britain's airborne deterrent, by Andrew Brookes. Jane's Publishing Co Ltd; First Edition 1 Jan. 1982, ISBN 0710602383, p.144.

[4] Bornschlegl, Susanne (2012). Ready for SIL 4: Modular Computers for Safety-Critical Mobile Applications. MEN Mikro Elektronik. Archived from the original (pdf) on 2019-06-09. Retrieved 2015-09-21.

[5] Wragg, David W. (1973). A Dictionary of Aviation (first ed.). Osprey. p. 127. ISBN 9780850451634.

[6] Bornschlegl, Susanne (2012). Ready for SIL 4: Modular Computers for Safety-Critical Mobile Applications. MEN Mikro Elektronik. Archived from the original (pdf) on 2019-06-09. Retrieved 2015-09-21.

[7] "P2138 DTC Throttle/Pedal Pos Sensor/Switch D / E Voltage Correlation". www.obd-codes.com.

[8] Manual on Uniform Traffic Control Devices, Federal Highway Administration, 2003

[9] "When Failure Is Not an Option: The Evolution of Fail-Safe Actuators". KMC Controls. 29 October 2015. Retrieved 12 April 2021.

[10] Harris, Tom (29 August 2002). "How Aircraft Carriers Work". HowStuffWorks, Inc. Retrieved 2007-10-20.

[11] Shingo, Shigeo; Andrew P. Dillon (1989). A study of the Toyota production system from an industrial engineering viewpoint. Portland, Oregon: Productivity Press. p. 22. ISBN 0-915299-17-8. OCLC 19740349

[12] John R. Grout, Brian T. Downs. "A Brief Tutorial on Mistake-proofing, Poka-Yoke, and ZQC", MistakeProofing.com Archived 2016-03-19 at the Wayback Machine

[TE2100-13] "Thames Estuary 2100 Plan" (PDF). UK Environment Agency. November 2012. Archived from the original (PDF) on 2012-12-10. Retrieved March 20, 2013.

[TE21-14] "Thames Estuary 2100 (TE2100)". UK Environment Agency. Retrieved March 20, 2013.

[TDC032013-15] Jennifer Weeks (March 20, 2013). "Adaptation expert Paul Kirshen proposes a new paradigm for civil engineers: 'safe to fail,' not 'fail safe'". The Daily Climate. Archived from the original on May 13, 2013. Retrieved March 20, 2013.

[16] "fail-safe". Dictionary.com. Retrieved November 7, 2021.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]