Fail-safe - AbsoluteAstronomy.com

A fail-safe or fail-secure device is one that, in the event of failure

Failure mode

Failure causes are defects in design, process, quality, or part application, which are the underlying cause of a failure or which initiate a process which leads to failure. Where failure depends on the user of the product or process, then human error must be considered.-Component failure:A part...

, responds in a way that will cause no harm, or at least a minimum of harm, to other devices or danger to personnel.

Fail-safe components should not be confused with fail-secure components. A fail-secure component will allow, but does not cause, a system failure. For example, a fail-secure lock will remain locked during a failure and cannot be unlocked, even with the correct key. In contrast, a fail-safe component does not allow a system failure. For example, a lock that unlocks at the wrong time has failed, but is considered fail-safe because it does not open or attract undue attention to the door's unlocked state.

Significantly, despite popular belief to the contrary, "fail-safe" does not mean that failure is improbable, but rather that a system's design mitigates any unsafe consequences of failure (i.e. it is safe if it fails).

Mechanical or physical

Aircraft landing on an aircraft carrier
Aircraft carrier
An aircraft carrier is a warship designed with a primary mission of deploying and recovering aircraft, acting as a seagoing airbase. Aircraft carriers thus allow a naval force to project air power worldwide without having to depend on local bases for staging aircraft operations...

increases the throttle to full power at touchdown. If the arresting wires fail to capture the plane, it is able to take off again.
Coiling/rolling fire doors that are activated by building alarm systems or local smoke detectors must close automatically when signaled regardless of power. In case of power outage the coiling fire door does not need to close, but must be capable of automatic closing when given a signal from the building alarm systems or smoke detectors. A temperature sensitive fusible link
Fusible link
Fusible links include mechanical and electrical devices.A mechanical fusible link is a device consisting of two strips of metal soldered together with a fusible alloy that is designed to melt at a specific temperature, thus allowing the two pieces to separate...

may be employed to hold the fire doors open against gravity or a closing spring. In case of fire, the link melts and releases the doors, and they close.
Luggage
Luggage
Baggage is any number of bags, cases and containers which hold a traveller's articles during transit.Luggage is more or less the same concept as "baggage", but is normally used in relation to the personal luggage of a specific person or persons Baggage is any number of bags, cases and containers...

carts in airports in which the hand-brake must be held down at all times. If it is released, the cart will stop. See dead man's switch
Dead man's switch
A dead man's switch is a switch that is automatically operated in case the human operator becomes incapacitated, such as through death or loss of consciousness....

.
Lawnmowers and snow blower
Snow blower
A snow blower or snow thrower is a machine for removing snow from an area where it is not wanted, such as a driveway, sidewalk, roadway, railroad track, rink, runway, or houses...

s have a hand-closed lever that must be held down at all times. If it is released, it stops the blades or rotors rotation.
Air brakes
Air brake (rail)
An air brake is a conveyance braking system actuated by compressed air. Modern trains rely upon a fail-safe air brake system that is based upon a design patented by George Westinghouse on March 5, 1872. The Westinghouse Air Brake Company was subsequently organized to manufacture and sell...

on railway train
Train
A train is a connected series of vehicles for rail transport that move along a track to transport cargo or passengers from one place to another place. The track usually consists of two rails, but might also be a monorail or maglev guideway.Propulsion for the train is provided by a separate...

s and air brakes
Air brake (road vehicle)
Air brakes are used in trucks, buses, trailers, and semi-trailers. George Westinghouse first developed air brakes for use in railway service. He patented a safer air brake on March 5, 1872. Originally designed and built for use on railroad train application, air brakes remain the exclusive systems...

on truck
Truck
A truck or lorry is a motor vehicle designed to transport cargo. Trucks vary greatly in size, power, and configuration, with the smallest being mechanically similar to an automobile...

s. The brakes are held in the 'off' position by air pressure
Pressure
Pressure is the force per unit area applied in a direction perpendicular to the surface of an object. Gauge pressure is the pressure relative to the local atmospheric or ambient pressure.- Definition :...

created in the brake system. Should a brake line split, or a carriage become de-coupled, the air pressure will be lost and the brakes applied. It is impossible to drive a train or truck with a serious leak in the air brake system.
Motorized gates – In case of power outage the gate can be pushed open by hand with no crank or key required. However, as this would allow virtually anyone to go through the gate, a fail-secure design is used: In a power outage, the gate can only be opened by a hand crank that is usually kept in a safe area.
During early Apollo program missions to the Moon, the spacecraft was put on a free return trajectory
Free return trajectory
A free return trajectory is one of a very small sub-class of trajectories in which the trajectory of a satellite traveling away from a primary body is modified by the presence of a secondary body causing the satellite to return to the primary body...

– if the engines failed at lunar orbit
Lunar orbit
In astronomy, lunar orbit refers to the orbit of an object around the Moon.As used in the space program, this refers not to the orbit of the Moon about the Earth, but to orbits by various manned or unmanned spacecraft around the Moon...

insertion, the craft would safely coast back to Earth.
Elevator
Elevator
An elevator is a type of vertical transport equipment that efficiently moves people or goods between floors of a building, vessel or other structures...

cabins that begin to accelerate too quickly as a result of the cables failing have a safety mechanism which uses contact with the guide rail to decelerate the car.
Various devices that operate with fluid
Fluid
In physics, a fluid is a substance that continually deforms under an applied shear stress. Fluids are a subset of the phases of matter and include liquids, gases, plasmas and, to some extent, plastic solids....

s use fuses
Fuse (hydraulic)
In hydraulic systems, a fuse is a component which prevents the sudden loss of hydraulic fluid pressure. It is a safety feature, designed to allow systems to continue operating, or at least to not fail catastrophically, in the event of a system breach...

or valves
Safety valve
A safety valve is a valve mechanism for the automatic release of a substance from a boiler, pressure vessel, or other system when the pressure or temperature exceeds preset limits....

as a fail-safe mechanism.
A railway semaphore signal
Railway semaphore signal
One of the earliest forms of fixed railway signal is the semaphore. These signals display their different indications to train drivers by changing the angle of inclination of a pivoted 'arm'. Semaphore signals were patented in the early 1840s by Joseph James Stevens, and soon became the most...

is designed so that should the cable controlling the signal break, the arm returns to the 'danger' position, preventing any trains passing the inoperative signal.
Diving watches – On diving watches the bezel is "unidirectional", i.e., it contains a ratchet so it can only be turned anti-clockwise to increase the apparent elapsed time. If the bezel could be turned the other way this could suggest to a diver that the elapsed time was shorter than the truth, thus giving a falsely low elapsed time reading and therefore an assumed falsely low air consumption reading and falsely high remaining air reading, all of which could be highly dangerous. In this fashion, if it is inadvertently rotated during the dive, it will only rotate so as to give a false reading of increased time below and thus less assumed tank air remaining rather than the opposite.

Electrical or electronic

Many devices are protected from short circuit
Short circuit
A short circuit in an electrical circuit that allows a current to travel along an unintended path, often where essentially no electrical impedance is encountered....

with fuses
Fuse (electrical)
In electronics and electrical engineering, a fuse is a type of low resistance resistor that acts as a sacrificial device to provide overcurrent protection, of either the load or source circuit...

. The destruction of the fuse will prevent destruction of the device.
Avionics
Avionics
Avionics are electronic systems used on aircraft, artificial satellites and spacecraft.Avionic systems include communications, navigation, the display and management of multiple systems and the hundreds of systems that are fitted to aircraft to meet individual roles...

using redundant systems
Redundancy (engineering)
In engineering, redundancy is the duplication of critical components or functions of a system with the intention of increasing reliability of the system, usually in the case of a backup or fail-safe....

to perform the same computation with voting logic to determine the "safe" result.
Traffic light
Traffic light
Traffic lights, which may also be known as stoplights, traffic lamps, traffic signals, signal lights, robots or semaphore, are signalling devices positioned at road intersections, pedestrian crossings and other locations to control competing flows of traffic...

controllers use a Conflict Monitor Unit to detect faults or conflicting signals and switch an intersection to all flashing red
Red
Red is any of a number of similar colors evoked by light consisting predominantly of the longest wavelengths of light discernible by the human eye, in the wavelength range of roughly 630–740 nm. Longer wavelengths than this are called infrared , and cannot be seen by the naked eye...

, rather than displaying potentially dangerous conflicting signals, e.g. showing green
Green
Green is a color, the perception of which is evoked by light having a spectrum dominated by energy with a wavelength of roughly 520–570 nanometres. In the subtractive color system, it is not a primary color, but is created out of a mixture of yellow and blue, or yellow and cyan; it is considered...

in all directions.
The automatic protection of programs and/or processing systems when a hardware
Hardware
Hardware is a general term for equipment such as keys, locks, hinges, latches, handles, wire, chains, plumbing supplies, tools, utensils, cutlery and machine parts. Household hardware is typically sold in hardware stores....

or software failure is detected in a computer system. A classic example is a watchdog timer
Watchdog timer
A watchdog timer is a computer hardware or software timer that triggers a system reset or other corrective action if the main program, due to some fault condition, such as a hang, neglects to regularly service the watchdog A watchdog timer (or computer operating properly (COP) timer) is a computer...

. See fail-safe (computer).
A control operation
Control operation
In telecommunication, a control operation is an operation that affects the recording, processing, transmission, or interpretation of data....

or function that prevents improper system functioning or catastrophic
Catastrophic failure
A catastrophic failure is a sudden and total failure of some system from which recovery is impossible. Catastrophic failures often lead to cascading systems failure....

degradation
Degradation
Degradation may refer to;* Biodegradation, the processes by which organic substances are broken down by living organisms* Cashiering or degradation ceremony, a ritual performed when cleric is deprived of office or a knight is stripped of the honour...

in the event of circuit
Electronic circuit
An electronic circuit is composed of individual electronic components, such as resistors, transistors, capacitors, inductors and diodes, connected by conductive wires or traces through which electric current can flow...

malfunction or operator error; for example, the failsafe track circuit
Track circuit
A track circuit is a simple electrical device used to detect the absence of a train on rail tracks, used to inform signallers and control relevant signals.- Principles and operation :...

used to control railway block signal
Railway signalling
Railway signalling is a system used to control railway traffic safely, essentially to prevent trains from colliding. Being guided by fixed rails, trains are uniquely susceptible to collision; furthermore, trains cannot stop quickly, and frequently operate at speeds that do not enable them to stop...

s.
The iron pellet ballast on the Bathyscaphe
Bathyscaphe
A bathyscaphe is a free-diving self-propelled deep-sea submersible, consisting of a crew cabin similar to a bathysphere, but suspended below a float rather than from a surface cable, as in the classic bathysphere design....

is dropped to allow the submarine to ascend. The ballast is held in place by electromagnets. If electrical power fails the ballast is released, and the submarine then ascends to safety.
Inside a modern CPU are features to prevent damage through overheating. In the event of cooling failure, the CPU will throttle then shut down beyond a critical temperature threshold to avoid damage.
In industrial automation, alarm signals are usually "normally closed" (or active at 0). This insures that in case of a wire break the alarm will be triggered. If the signal were normally open, no wire failure would be detected.
In control systems, critically important signals can be carried by a complimentary pair of wires ( and ). Only states where the two signals are opposite (one is high, the other low) are valid. If both are high or both are low the control system knows that something is wrong with the sensor or connecting wiring. Simple failure modes (dead sensor, cut/unplugged wires) are thereby detected. An example would be a control system reading both the NO and NC poles of a SPDT selector switch against common, and checking them for coherency before reacting to the input.

Procedural

As well as physical devices and systems fail-safe procedures can be created so that if a procedure is not carried out or carried out incorrectly no dangerous action results. For example:

In railway signalling
Railway signalling
Railway signalling is a system used to control railway traffic safely, essentially to prevent trains from colliding. Being guided by fixed rails, trains are uniquely susceptible to collision; furthermore, trains cannot stop quickly, and frequently operate at speeds that do not enable them to stop...

signals which are not in active use for a train are required to be kept in the 'danger' position. The default position of every signal is therefore 'danger,' and therefore a positive action—setting signals to 'clear'—is required before a train may pass. This practice also ensures that, in case of a fault in the signalling system, an incapacitated signalman, or the unexpected entry of a train, that a train will never be shown an erroneous 'clear' signal.
Train drivers are instructed that a railway signal showing a confusing, contradictory or unfamiliar aspect (for example a colour light signal that has suffered an electrical failure and is showing no light at all) must be treated as showing 'danger'. In this way, the driver contributes to the fail-safety of the system.

Other terminology

Fail-safe (foolproof

Idiot Proof

In modern English usage, the term "idiot proof" describes designs which inherently or by use of defensive design principles cannot be misused. The implication is that the design is usable even by someone of low intelligence who would not use it properly. The term came into use in the late 1970s to...

) devices are also known as poka-yoke
Poka-yoke
' is a Japanese term that means "fail-safing" or "mistake-proofing". A poka-yoke is any mechanism in a lean manufacturing process that helps an equipment operator avoid mistakes . Its purpose is to eliminate product defects by preventing, correcting, or drawing attention to human errors as they...

devices. Poka-yoke, a Japanese

Japanese language

is a language spoken by over 130 million people in Japan and in Japanese emigrant communities. It is a member of the Japonic language family, which has a number of proposed relationships with other languages, none of which has gained wide acceptance among historical linguists .Japanese is an...

term, was coined by Shigeo Shingo

Shigeo Shingo

, born in Saga City, Japan, was a Japanese industrial engineer who distinguished himself as one of the world’s leading experts on manufacturing practices and the Toyota Production System. Shingo is known far more in the West than in Japan, as a result of his meeting Norman Bodek, an American...

, a quality guru.

Mechanical or physical

Electrical or electronic

Procedural

Other terminology

See also