Fail-safe

A fail-safe or fail-secure device is one that, in the event of failure, responds in a way that will cause no harm, or at least a minimum of harm, to other devices or danger to personnel.

"Fail-safe[ty]" should not be confused with "fail-secur[ity]." A fail-secure component of a system secures that system (or at least the portion to which the component is dedicated) in the event of a failure either of that component or elsewhere in the system. For example, during a failure of an ingress-egress control system (e.g., a user's propping a door open somewhere in a building), a fail-secure lock will close, lock, and remain locked even when a user attempts to unlock it with the key that the user usually uses. In such a case, an independent release (such as a reboot or disarming) of the securing mechanism is required. In contrast, a component may be considered fail-safe even if its failure does not secure the system. For example, if a door locked from the inside is left unlocked or is unlocked at the wrong time, it has failed (in some cases, along with the entire system), the door may be (but is not necessarily) fail-safe if its being unlocked does not open it or attract additional attention to its unlocked state.

Significantly, despite popular belief to the contrary,^[1] a system's being "fail-safe" means not that failure is impossible/improbable but rather that the system's design prevents or mitigates unsafe consequences of the system's failure; that is, if and when a "fail-safe" system "fails," it is "safe" or at least no less unsafe than when it is operating correctly.^[2]

1 Examples
2 Other terminology
3 See also
4 References

Examples

Mechanical or physical

Aircraft landing on an aircraft carrier increases the throttle to full power at touchdown. If the arresting wires fail to capture the plane, it is able to take off again.^[3]
Coiling/rolling fire doors that are activated by building alarm systems or local smoke detectors must close automatically when signaled regardless of power. In case of power outage the coiling fire door does not need to close, but must be capable of automatic closing when given a signal from the building alarm systems or smoke detectors. A temperature sensitive fusible link may be employed to hold the fire doors open against gravity or a closing spring. In case of fire, the link melts and releases the doors, and they close.
Operation of some airport luggage carts requires that one hold down a given cart's handbrake switch at all times; if the handbrake switch is released, the brake will activate, and assuming that all other portions of the braking system are working properly, the cart will stop. The handbrake-holding requirement thus both operates according to the principles of "fail-safety" and contributes to (but does not necessarily ensure) the fail-security of the system.

See dead man's switch, a more extreme example that, depending on its placement in the system, can be used to render a system "safe" and/or "secure" against a failure that disables it.

Lawnmowers and snow blowers have a hand-closed lever that must be held down at all times. If it is released, it stops the blades or rotors rotation.
Air brakes on railway trains and air brakes on trucks. The brakes are held in the 'off' position by air pressure created in the brake system. Should a brake line split, or a carriage become de-coupled, the air pressure will be lost and the brakes applied. It is impossible to drive a train or truck with a serious leak in the air brake system.
Motorized gates – In case of power outage the gate can be pushed open by hand with no crank or key required. However, as this would allow virtually anyone to go through the gate, a fail-secure design is used: In a power outage, the gate can only be opened by a hand crank that is usually kept in a safe area.
During early Apollo program missions to the Moon, the spacecraft was put on a free return trajectory – if the engines failed at lunar orbit insertion, the craft would safely coast back to Earth.
Elevator cabins that begin to accelerate too quickly as a result of the cables failing have a safety mechanism which uses contact with the guide rail to decelerate the car.
Various devices that operate with fluids use fuses or valves as a fail-safe mechanism.
A railway semaphore signal is designed so that should the cable controlling the signal break, the arm returns to the 'danger' position, preventing any trains passing the inoperative signal.
Diving watches – On diving watches the bezel is "unidirectional", i.e., it contains a ratchet so it can only be turned anti-clockwise to increase the apparent elapsed time. If the bezel could be turned the other way this could suggest to a diver that the elapsed time was shorter than the truth, thus giving a falsely low elapsed time reading and therefore an assumed falsely low air consumption reading and falsely high remaining air reading, all of which could be highly dangerous. In this fashion, if it is inadvertently rotated during the dive, it will only rotate so as to give a false reading of increased time below and thus less assumed tank air remaining rather than the opposite.

Electrical or electronic

Many devices are protected from short circuit with fuses. The destruction of the fuse will prevent destruction of the device.
Avionics using redundant systems to perform the same computation with voting logic to determine the "safe" result.
Traffic light controllers use a Conflict Monitor Unit to detect faults or conflicting signals and switch an intersection to all flashing red, rather than displaying potentially dangerous conflicting signals, e.g. showing green in all directions.^[4]
The automatic protection of programs and/or processing systems when a hardware or software failure is detected in a computer system. A classic example is a watchdog timer. See fail-safe (computer).
A control operation or function that prevents improper system functioning or catastrophic degradation in the event of circuit malfunction or operator error; for example, the failsafe track circuit used to control railway block signals.
The iron pellet ballast on the Bathyscaphe is dropped to allow the submarine to ascend. The ballast is held in place by electromagnets. If electrical power fails the ballast is released, and the submarine then ascends to safety.
Inside a modern CPU are features to prevent damage through overheating. In the event of cooling failure, the CPU will throttle then shut down beyond a critical temperature threshold to avoid damage.
In industrial automation, alarm signals are usually "normally closed" (or active at 0). This insures that in case of a wire break the alarm will be triggered. If the signal were normally open, no wire failure would be detected.
In control systems, critically important signals can be carried by a complimentary pair of wires (<signal> and <not_signal>). Only states where the two signals are opposite (one is high, the other low) are valid. If both are high or both are low the control system knows that something is wrong with the sensor or connecting wiring. Simple failure modes (dead sensor, cut/unplugged wires) are thereby detected. An example would be a control system reading both the NO and NC poles of a SPDT selector switch against common, and checking them for coherency before reacting to the input.

Procedural

As well as physical devices and systems fail-safe procedures can be created so that if a procedure is not carried out or carried out incorrectly no dangerous action results. For example:

In railway signalling signals which are not in active use for a train are required to be kept in the 'danger' position. The default position of every signal is therefore 'danger,' and therefore a positive action—setting signals to 'clear'—is required before a train may pass. This practice also ensures that, in case of a fault in the signalling system, an incapacitated signalman, or the unexpected entry of a train, that a train will never be shown an erroneous 'clear' signal.
Train drivers are instructed that a railway signal showing a confusing, contradictory or unfamiliar aspect (for example a colour light signal that has suffered an electrical failure and is showing no light at all) must be treated as showing 'danger'. In this way, the driver contributes to the fail-safety of the system.

Other terminology

Fail-safe (foolproof) devices are also known as poka-yoke devices. Poka-yoke, a Japanese term, was coined by Shigeo Shingo, a quality guru.^[5]^[6]

References

^ "Fail-safe". AudioEnglich.net. Accessed 2009.12.31
^ E.g., David B. Rutherford, Jr., "What Do You Mean – It's Fail-Safe?": Evaluating Fail-Safety in Processor-Based Vital Control Systems. 1990 Rapid Transit Conference
^ Harris, Tom. "How Aircraft Carriers Work". HowStuffWorks, Inc. http://science.howstuffworks.com/aircraft-carrier4.htm. Retrieved 2007-10-20.
^ Manual on Uniform Traffic Control Devices, Federal Highway Administration, 2003
^ Shingo, Shigeo; Andrew P. Dillon (1989). A study of the Toyota production system from an industrial engineering viewpoint. Portland, Oregon: Productivity Press. p. 22. ISBN 0-915299-17-8. OCLC 19740349
^ John R. Grout, Brian T. Downs. "A Brief Tutorial on Mistake-proofing, Poka-Yoke, and ZQC". MistakeProofing.com http://www.mistakeproofing.com/tutorial.html