Inengineering, afail-safe is a design feature or practice that, in the event of afailure of the design feature, inherently responds in a way that will cause minimal or no harm to other equipment, to the environment or to people. Unlikeinherent safety to a particular hazard, a system being "fail-safe" does not mean that failure is naturally inconsequential, but rather that the system's design prevents or mitigates unsafe consequences of the system's failure. If and when a "fail-safe" system fails, it remains at least as safe as it was before the failure.[1][2] Since many types of failure are possible,failure mode and effects analysis is used to examine failure situations and recommend safety design and procedures.[3]
Some systems can never be made fail-safe, as continuous availability is needed.Redundancy,fault tolerance, orcontingency plans are used for these situations (e.g. multiple independently controlled and fuel-fed engines).[4]
Globe control valve with pneumatic diaphragm actuator. Such a valve can be designed to fail to safety using spring pressure if the actuating air is lost.
Examples include:
Safety valves – Various devices that operate withfluids usefuses orsafety valves as fail-safe mechanisms.
Roller-shutter fire doors that are activated by building alarm systems or local smoke detectors must close automatically when signaled regardless of power. In case of power outage the coiling fire door does not need to close, but must be capable of automatic closing when given a signal from the building alarm systems or smoke detectors. A temperature-sensitivefusible link may be employed to hold the fire doors open against gravity or a closing spring. In case of fire, the link melts and releases the doors, and they close.
Some airportbaggagecarts require that the person hold down a given cart's handbrake switch at all times; if the handbrake switch is released, the brake will activate, and assuming that all other portions of the braking system are working properly, the cart will stop. The handbrake-holding requirement thus both operates according to the principles of "fail-safety" and contributes to (but does not necessarily ensure) the fail-security of the system. This is an example of adead man's switch.
Lawnmowers andsnow blowers have a hand-closed lever that must be held down at all times. If it is released, it stops the blade's or rotor's rotation. This also functions as adead man's switch.
Air brakes on railwaytrains andair brakes ontrucks. The brakes are held in the "off" position by airpressure created in the brake system. Should a brake line split, or a carriage become uncoupled, the air pressure will be lost and the brakes applied, by springs in the case of trucks, or by a local air reservoir in trains. It is impossible to drive a truck with a serious leak in the air brake system. (Trucks may also employwig wags to indicate low air pressure.)
Motorized gates – In case of power outage the gate can be pushed open by hand with no crank or key required. However, as this would allow virtually anyone to go through the gate, afail-secure design is used: In a power outage, the gate can only be opened by a hand crank that is usually kept in a safe area or under lock and key. When such a gate provides vehicle access to homes, a fail-safe design is used, where the door opens to allow fire department access.
Railway semaphore signals. "Stop" or "caution" is a horizontal arm, "Clear to Proceed" is 45 degrees upwards, so failure of the actuating cable releases the signal arm to safety under gravity. Arailway semaphore signal is specially designed so that, should the cable controlling the signal break, the arm returns to the "danger" position, preventing any trains passing the inoperative signal.
Isolation valves, and control valves, that are used for example in systems containing hazardous substances, can be designed to close upon loss of power, for example by spring force. This is known as fail-closed upon loss of power.
Anelevator has brakes that are held off brake pads by the tension of the elevator cable. If the cable breaks, tension is lost and the brakes latch on the rails in the shaft, so that the elevator cabin does not fall.
Many devices are protected fromshort circuit byfuses,circuit breakers, orcurrent limiting circuits. The electrical interruption under overload conditions will prevent damage or destruction of wiring or circuit devices due to overheating.
Drive-by-wire andfly-by-wire controls such as an Accelerator Position Sensor typically have two potentiometers which read in opposite directions, such that moving the control will result in one reading becoming higher, and the other generally equally lower. Mismatches between the two readings indicates a fault in the system, and theECU can often deduce which of the two readings is faulty.[7]
Traffic light controllers use aConflict Monitor Unit to detect faults or conflicting signals and switch an intersection to an all flashing error signal, rather than displaying potentially dangerous conflicting signals, e.g. showinggreen in all directions.[8]
Acontrol operation or function that prevents improper system functioning orcatastrophic degradation in the event ofcircuit malfunction or operator error; for example, the failsafetrack circuit used to controlrailway block signals. The fact that a flashing amber is more permissive than a solid amber on many railway lines is a sign of a failsafe, as the relay, if not working, will revert to a more restrictive setting.
The iron pellet ballast on thebathyscaphe is dropped to allow the submarine to ascend. The ballast is held in place byelectromagnets. If electrical power fails, the ballast is released, and the submarine then ascends to safety.
Manynuclear reactor designs have neutron-absorbing control rods suspended by electromagnets. If the power fails, they drop under gravity into the core and shut down the chain reaction in seconds by absorbing the neutrons needed for fission to continue.
Inindustrial automation, alarm circuits are usually "normally closed". This ensures that in case of a wire break the alarm will be triggered. If the circuit were normally open, a wire failure would go undetected, while blocking actual alarm signals.
Analog sensors and modulating actuators can usually be installed and wired such that the circuit failure results in an out-of-bound reading – seecurrent loop. For example, a potentiometer indicating pedal position might only travel from 20% to 80% of its full range, such that a cable break or short results in a 0% or 100% reading.
In control systems, critically important signals can be carried by a complementary pair of wires (<signal> and <not_signal>). Only states where the two signals are opposite (one is high, the other low) are valid. If both are high or both are low the control system knows that something is wrong with the sensor or connecting wiring. Simple failure modes (dead sensor, cut or unplugged wires) are thereby detected. An example would be a control system reading both thenormally open (NO) andnormally closed (NC) poles of aSPDT selector switch against common, and checking them for coherency before reacting to the input.
InHVAC control systems,actuators that control dampers and valves may be fail-safe, for example, to prevent coils from freezing or rooms from overheating. Olderpneumatic actuators were inherently fail-safe because if the air pressure against the internal diaphragm failed, the built-in spring would push the actuator to its home position – of course the home position needed to be the "safe" position. Newer electrical and electronic actuators need additional components (springs or capacitors) to automatically drive the actuator to home position upon loss of electrical power.[9]
Programmable logic controllers (PLCs). To make a PLC fail-safe the system does not require energization to stop the drives associated. For example, usually, an emergency stop is a normally closed contact. In the event of a power failure this would remove the power directly from the coil and also the PLC input. Hence, a fail-safe system.
If avoltage regulator fails, it can destroy connected equipment. Acrowbar (circuit) prevents damage by short-circuiting the power supply as soon as it detects overvoltage.
As well as physical devices and systems fail-safe procedures can be created so that if a procedure is not carried out or carried out incorrectly no dangerous action results. For example:
Spacecraft trajectory - During earlyApollo program missions to the Moon, the spacecraft was put on afree return trajectory — if the engines had failed atlunar orbit insertion, the craft would have safely coasted back to Earth.
An aircraft lights itsafterburners to maintain full power during anarrested landing aboard anaircraft carrier. If the arrested landing fails, the aircraft can safely take off again.The pilot of an aircraft landing on anaircraft carrier increases the throttle to full power at touchdown. If thearresting wires fail to capture the aircraft, it is able to take off again; this is an example offail-safe practice.[10]
Inrailway signalling signals which are not in active use for a train are required to be kept in the 'danger' position. The default position of every controlled absolute signal is therefore "danger", and therefore a positive action — setting signals to "clear" — is required before a train may pass. This practice also ensures that, in case of a fault in the signalling system, an incapacitated signalman, or the unexpected entry of a train, that a train will never be shown an erroneous "clear" signal.
Railroad engineers are instructed that a railway signal showing a confusing, contradictory or unfamiliar aspect (for example acolour light signal that has suffered an electrical failure and is showing no light at all) must be treated as showing "danger". In this way, the driver contributes to the fail-safety of the system.
Fail-safe andfail-secure are distinct concepts.Fail-safe means that a device will not endanger lives or property when it fails.Fail-secure, also calledfail-closed, means that access or data will not fall into the wrong hands in a security failure. Sometimes the approaches suggest opposite solutions. For example, if a building catches fire, fail-safe systems would unlock doors to ensure quick escape and allow firefighters inside, while fail-secure would lock doors to prevent unauthorized access to the building.
Fail active operational can be installed on systems that have a high degree of redundancy so that a single failure of any part of the system can be tolerated (fail active operational) and a second failure can be detected – at which point the system will turn itself off (uncouple, fail passive). One way of accomplishing this is to have three identical systems installed, and a control logic which detects discrepancies. An example for this are many aircraft systems, among theminertial navigation systems andpitot tubes.
During theCold War, "failsafe point" was the term used for the point of no return for AmericanStrategic Air Command nuclear bombers, just outside Soviet airspace. In the event of receiving an attack order, the bombers were required to linger at the failsafe point and wait for a second confirming order; until one was received, they would not arm their bombs or proceed further.[16] The design was to prevent any single failure of the American command system causing nuclear war. This sense of the term entered the American popular lexicon with the publishing of the 1962 novelFail-Safe.
(Other nuclear war command control systems have used the opposite scheme,fail-deadly, which requires continuous or regular proof that an enemy first-strike attack hasnot occurred toprevent the launching of a nuclear strike.)
^Shingo, Shigeo; Andrew P. Dillon (1989). A study of the Toyota production system from an industrial engineering viewpoint. Portland, Oregon: Productivity Press. p. 22.ISBN0-915299-17-8.OCLC19740349
