World Library  
Flag as Inappropriate
Email this Article


Article Id: WHEBN0000041136
Reproduction Date:

Title: Fail-safe  
Author: World Heritage Encyclopedia
Language: English
Subject: Fuel gauge, Fail-safes in nanotechnology, Fault tolerance, Jaw coupling, IEC 61508
Publisher: World Heritage Encyclopedia


A fail-safe or fail-secure device is one that, in the event of failure, responds in a way that will cause no harm, or at least a minimum of harm, to other devices or danger to personnel.

Fail-safe and fail-secure are similar but distinct concepts. Fail-safe means that a device will not endanger lives or property when it fails. Fail-secure means that access or data will not fall into the wrong hands in a failure. Sometimes the approaches suggest opposite solutions. For example, if a building catches fire, fail-safe systems would unlock doors to ensure quick escape and allow firefighters inside, while fail-secure would lock doors to prevent unauthorized access to the building.

Significantly, a system's being "fail-safe" means not that failure is impossible/improbable, but rather that the system's design prevents or mitigates unsafe consequences of the system's failure. That is, if and when a "fail-safe" system "fails", it is "safe" or at least no less safe than when it is operating correctly.[1][2]


Mechanical or physical

Examples include:

An aircraft lights its afterburners to maintain full power following an arrested landing aboard an aircraft carrier. If the arrested landing fails, the plane can safely take off again.
  • An aircraft landing on an aircraft carrier increases the throttle to full power at touchdown. If the arresting wires fail to capture the plane, it is able to take off again.[3]
  • Coiling/rolling fire doors that are activated by building alarm systems or local smoke detectors must close automatically when signaled regardless of power. In case of power outage the coiling fire door does not need to close, but must be capable of automatic closing when given a signal from the building alarm systems or smoke detectors. A temperature sensitive fusible link may be employed to hold the fire doors open against gravity or a closing spring. In case of fire, the link melts and releases the doors, and they close.
  • Operation of some airport luggage carts requires that one hold down a given cart's handbrake switch at all times; if the handbrake switch is released, the brake will activate, and assuming that all other portions of the braking system are working properly, the cart will stop. The handbrake-holding requirement thus both operates according to the principles of "fail-safety" and contributes to (but does not necessarily ensure) the fail-security of the system. This is an example of a dead man's switch.
  • Lawnmowers and snow blowers have a hand-closed lever that must be held down at all times. If it is released, it stops the blade's or rotor's rotation. This is also a dead man's switch.
  • Air brakes on railway trains and air brakes on trucks. The brakes are held in the "off" position by air pressure created in the brake system. Should a brake line split, or a carriage become de-coupled, the air pressure will be lost and the brakes applied. It is impossible to drive a train or truck with a serious leak in the air brake system. (Trucks may also employ wig wags to indicate low air pressure.)
  • Motorized gates — In case of power outage the gate can be pushed open by hand with no crank or key required. However, as this would allow virtually anyone to go through the gate, a fail-secure design is used: In a power outage, the gate can only be opened by a hand crank that is usually kept in a safe area. When such a gate provides vehicle access to homes, a fail-safe design is used, where the door opens to allow fire department access.
  • During early Apollo program missions to the Moon, the spacecraft was put on a free return trajectory — if the engines had failed at lunar orbit insertion, the craft would have safely coasted back to Earth.
  • Elevator cabins have a safety mechanism that wedges securely onto the guide rails to arrest a fall if the hoist cables were to fail.
  • Various devices that operate with fluids use fuses or valves as a fail-safe mechanism.
  • A railway semaphore signal is designed so that should the cable controlling the signal break, the arm returns to the "danger" position, preventing any trains passing the inoperative signal.
  • On diving watches, the rotating bezel used to measure dive time has a ratchet and can only be turned counter-clockwise. If the bezel is inadvertently rotated during the dive, it will give a false reading of increased time spent below.[4] This protects the diver from underestimating their decompression obligation, which could cause decompression sickness.

Electrical or electronic

Examples include:

  • Many devices are protected from short circuit with fuses or circuit breakers. The electrical interruption under overload conditions will prevent destruction of wiring or circuit devices.
  • Avionics using redundant systems to perform the same computation using three different systems. Different results indicate a fault in the system.[5]
  • Traffic light controllers use a Conflict Monitor Unit to detect faults or conflicting signals and switch an intersection to an all flashing error signal, rather than displaying potentially dangerous conflicting signals, e.g. showing green in all directions.[6]
  • The automatic protection of programs and/or processing systems when a computer hardware or software failure is detected in a computer system. A classic example is a watchdog timer. See fail-safe (computer).
  • A control operation or function that prevents improper system functioning or catastrophic degradation in the event of circuit malfunction or operator error; for example, the failsafe track circuit used to control railway block signals. The fact that a flashing amber is more permissive than a solid amber on many railway lines is a sign of a failsafe, as the relay if not working wrong will revert to a more restrictive setting.
  • The iron pellet ballast on the Bathyscaphe is dropped to allow the submarine to ascend. The ballast is held in place by electromagnets. If electrical power fails, the ballast is released, and the submarine then ascends to safety.
  • Inside a modern CPU are features to prevent damage through overheating. In the event of cooling failure, the CPU will throttle then shut down beyond a critical temperature threshold to avoid damage.
  • In industrial automation, alarm signals are usually "normally closed" (or active at 0). This insures that in case of a wire break the alarm will be triggered. If the signal were normally open, no wire failure would be detected.
  • In control systems, critically important signals can be carried by a complementary pair of wires ( and ). Only states where the two signals are opposite (one is high, the other low) are valid. If both are high or both are low the control system knows that something is wrong with the sensor or connecting wiring. Simple failure modes (dead sensor, cut/unplugged wires) are thereby detected. An example would be a control system reading both the normally open (NO) and normally closed (NC) poles of a SPDT selector switch against common, and checking them for coherency before reacting to the input.
  • In HVAC control systems, actuators that control dampers and valves may be fail-safe, for example, to prevent coils from freezing or rooms from overheating. Older pneumatic actuators were inherently fail-safe since if the air pressure against the internal diaphragm failed, the built-in spring would push the actuator to its home position. Newer electrical/electronic actuators need additional components (springs or capacitors) to automatically drive the actuator to home position upon loss of electrical power.[7]
  • Programmable logic controllers (PLCs). To make a PLC fail-safe the system does not require energization to stop the drives associated. For example, usually, an emergency stop is a normally closed contact. In the event of a power failure this would remove the power directly from the coil and also the PLC input. Hence, a fail-safe system.


As well as physical devices and systems fail-safe procedures can be created so that if a procedure is not carried out or carried out incorrectly no dangerous action results. For example:

  • In railway signalling signals which are not in active use for a train are required to be kept in the 'danger' position. The default position of every signal is therefore "danger", and therefore a positive action — setting signals to "clear" — is required before a train may pass. This practice also ensures that, in case of a fault in the signalling system, an incapacitated signalman, or the unexpected entry of a train, that a train will never be shown an erroneous "clear" signal.
  • Train drivers are instructed that a railway signal showing a confusing, contradictory or unfamiliar aspect (for example a colour light signal that has suffered an electrical failure and is showing no light at all) must be treated as showing "danger". In this way, the driver contributes to the fail-safety of the system.

Other terminology

Fail-safe (foolproof) devices are also known as poka-yoke devices. Poka-yoke, a Japanese term, was coined by Shigeo Shingo, a quality expert.[8][9] "Safe to fail" refers to civil engineering designs such as the Room for the River project in Netherlands and the Thames Estuary 2100 Plan[10][11] which incorporate flexible adaptation strategies or climate change adaptation which provide for, and limit, damage, should severe events such as 500-year floods occur.[12]

See also


  1. ^ "Fail-safe". Accessed 2009.12.31
  2. ^ e.g., David B. Rutherford, Jr., "What Do You Mean — It's Fail-Safe?": Evaluating Fail-Safety in Processor-Based Vital Control Systems. 1990 Rapid Transit Conference
  3. ^ Harris, Tom. "How Aircraft Carriers Work". HowStuffWorks, Inc. Retrieved 2007-10-20. 
  4. ^ "What is a Unidirectional Rotating Bezel". Retrieved 9 May 2013. 
  5. ^ Bornschlegl, Susanne (2012). Ready for SIL 4: Modular Computers for Safety-Critical Mobile Applications (pdf). MEN Mikro Elektronik. Retrieved 2014-08-14. 
  6. ^ Manual on Uniform Traffic Control Devices, Federal Highway Administration, 2003
  7. ^ "When Failure Is Not an Option: The Evolution of Fail-Safe Actuators". KMC Controls. Retrieved 10 May 2013. 
  8. ^ Shingo, Shigeo; Andrew P. Dillon (1989). A study of the Toyota production system from an industrial engineering viewpoint. Portland, Oregon: Productivity Press. p. 22. ISBN 0-915299-17-8. OCLC 19740349
  9. ^ John R. Grout, Brian T. Downs. "A Brief Tutorial on Mistake-proofing, Poka-Yoke, and ZQC",
  10. ^ "Thames Estuary 2100 Plan". UK Environment Agency. November 2012. Retrieved March 20, 2013. 
  11. ^ "Thames Estuary 2100 (TE2100)". UK Environment Agency. Retrieved March 20, 2013. 
  12. ^ Jennifer Weeks (March 20, 2013). "'"Adaptation expert Paul Kirshen proposes a new paradigm for civil engineers: 'safe to fail,' not 'fail safe. The Daily Climate. Retrieved March 20, 2013. 
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.