178:
420:
76:
399:(PLCs). To make a PLC fail-safe the system does not require energization to stop the drives associated. For example, usually, an emergency stop is a normally closed contact. In the event of a power failure this would remove the power directly from the coil and also the PLC input. Hence, a fail-safe system.
477:
signals which are not in active use for a train are required to be kept in the 'danger' position. The default position of every controlled absolute signal is therefore "danger", and therefore a positive action — setting signals to "clear" — is required before a train may pass. This practice
145:
created in the brake system. Should a brake line split, or a carriage become uncoupled, the air pressure will be lost and the brakes applied, by springs in the case of trucks, or by a local air reservoir in trains. It is impossible to drive a truck with a serious leak in the air brake system. (Trucks
364:
In control systems, critically important signals can be carried by a complementary pair of wires (<signal> and <not_signal>). Only states where the two signals are opposite (one is high, the other low) are valid. If both are high or both are low the control system knows that something is
596:
nuclear bombers, just outside Soviet airspace. In the event of receiving an attack order, the bombers were required to linger at the failsafe point and wait for a second confirming order; until one was received, they would not arm their bombs or proceed further. The design was to prevent any single
571:
Fail active operational can be installed on systems that have a high degree of redundancy so that a single failure of any part of the system can be tolerated (fail active operational) and a second failure can be detected – at which point the system will turn itself off (uncouple, fail passive). One
392:
were inherently fail-safe because if the air pressure against the internal diaphragm failed, the built-in spring would push the actuator to its home position – of course the home position needed to be the "safe" position. Newer electrical and electronic actuators need additional components (springs
42:
to a particular hazard, a system being "fail-safe" does not mean that failure is naturally inconsequential, but rather that the system's design prevents or mitigates unsafe consequences of the system's failure. If and when a "fail-safe" system fails, it remains at least as safe as it was before the
259:
controls such as an
Accelerator Position Sensor typically have two potentiometers which read in opposite directions, such that moving the control will result in one reading becoming higher, and the other generally equally lower. Mismatches between the two readings indicates a fault in the system,
551:
means that access or data will not fall into the wrong hands in a security failure. Sometimes the approaches suggest opposite solutions. For example, if a building catches fire, fail-safe systems would unlock doors to ensure quick escape and allow firefighters inside, while fail-secure would lock
102:
require that the person hold down a given cart's handbrake switch at all times; if the handbrake switch is released, the brake will activate, and assuming that all other portions of the braking system are working properly, the cart will stop. The handbrake-holding requirement thus both operates
87:
Roller-shutter fire doors that are activated by building alarm systems or local smoke detectors must close automatically when signaled regardless of power. In case of power outage the coiling fire door does not need to close, but must be capable of automatic closing when given a signal from the
157:
design is used: In a power outage, the gate can only be opened by a hand crank that is usually kept in a safe area or under lock and key. When such a gate provides vehicle access to homes, a fail-safe design is used, where the door opens to allow fire department
805:
749:
342:
designs have neutron-absorbing control rods suspended by electromagnets. If the power fails, they drop under gravity into the core and shut down the chain reaction in seconds by absorbing the neutrons needed for fission to
196:, and control valves, that are used for example in systems containing hazardous substances, can be designed to close upon loss of power, for example by spring force. This is known as fail-closed upon loss of power.
811:
755:
203:
has brakes that are held off brake pads by the tension of the elevator cable. If the cable breaks, tension is lost and the brakes latch on the rails in the shaft, so that the elevator cabin does not fall.
181:
Railway semaphore signals. "Stop" or "caution" is a horizontal arm, "Clear to
Proceed" is 45 degrees upwards, so failure of the actuating cable releases the signal arm to safety under gravity.
324:. The fact that a flashing amber is more permissive than a solid amber on many railway lines is a sign of a failsafe, as the relay, if not working, will revert to a more restrictive setting.
478:
also ensures that, in case of a fault in the signalling system, an incapacitated signalman, or the unexpected entry of a train, that a train will never be shown an erroneous "clear" signal.
439:
As well as physical devices and systems fail-safe procedures can be created so that if a procedure is not carried out or carried out incorrectly no dangerous action results. For example:
354:". This ensures that in case of a wire break the alarm will be triggered. If the circuit were normally open, a wire failure would go undetected, while blocking actual alarm signals.
153:
Motorized gates – In case of power outage the gate can be pushed open by hand with no crank or key required. However, as this would allow virtually anyone to go through the gate, a
572:
way of accomplishing this is to have three identical systems installed, and a control logic which detects discrepancies. An example for this are many aircraft systems, among them
365:
wrong with the sensor or connecting wiring. Simple failure modes (dead sensor, cut or unplugged wires) are thereby detected. An example would be a control system reading both the
274:
to detect faults or conflicting signals and switch an intersection to an all flashing error signal, rather than displaying potentially dangerous conflicting signals, e.g. showing
485:
that has suffered an electrical failure and is showing no light at all) must be treated as showing "danger". In this way, the driver contributes to the fail-safety of the system.
952:
361:. For example, a potentiometer indicating pedal position might only travel from 20% to 80% of its full range, such that a cable break or short results in a 0% or 100% reading.
190:
is specially designed so that, should the cable controlling the signal break, the arm returns to the "danger" position, preventing any trains passing the inoperative signal.
908:
Shingo, Shigeo; Andrew P. Dillon (1989). A study of the Toyota production system from an industrial engineering viewpoint. Portland, Oregon: Productivity Press. p. 22.
206:
Vehicle air conditioning – Defrost controls require vacuum for diverter damper operation for all functions except defrost. If vacuum fails, defrost is still available.
1007:
597:
failure of the
American command system causing nuclear war. This sense of the term entered the American popular lexicon with the publishing of the 1962 novel
103:
according to the principles of "fail-safety" and contributes to (but does not necessarily ensure) the fail-security of the system. This is an example of a
79:
Globe control valve with pneumatic diaphragm actuator. Such a valve can be designed to fail to safety using spring pressure if the actuating air is lost.
92:
may be employed to hold the fire doors open against gravity or a closing spring. In case of fire, the link melts and releases the doors, and they close.
1073:
119:
have a hand-closed lever that must be held down at all times. If it is released, it stops the blade's or rotor's rotation. This also functions as a
235:
circuits. The electrical interruption under overload conditions will prevent damage or destruction of wiring or circuit devices due to overheating.
38:
of the design feature, inherently responds in a way that will cause minimal or no harm to other equipment, to the environment or to people. Unlike
357:
Analog sensors and modulating actuators can usually be installed and wired such that the circuit failure results in an out-of-bound reading – see
177:
862:
913:
788:
44:
517:
481:
Railroad engineers are instructed that a railway signal showing a confusing, contradictory or unfamiliar aspect (for example a
388:
that control dampers and valves may be fail-safe, for example, to prevent coils from freezing or rooms from overheating. Older
147:
730:
Force V: The history of
Britain's airborne deterrent, by Andrew Brookes. Jane's Publishing Co Ltd; First Edition 1 Jan. 1982,
735:
1015:
936:
718:
396:
959:
573:
20:
521:
246:
242:
187:
134:
51:
1008:"Adaptation expert Paul Kirshen proposes a new paradigm for civil engineers: 'safe to fail,' not 'fail safe'"
448:
984:
593:
347:
637:
309:
298:
105:
647:
389:
381:
261:
393:
or capacitors) to automatically drive the actuator to home position upon loss of electrical power.
682:
482:
474:
313:
335:. If electrical power fails, the ballast is released, and the submarine then ascends to safety.
917:
909:
784:
731:
599:
509:
407:
403:
321:
305:
282:
224:
377:
selector switch against common, and checking them for coherency before reacting to the input.
62:
are used for these situations (e.g. multiple independently controlled and fuel-fed engines).
677:
627:
459:
432:
428:
232:
166:
126:
59:
932:
John R. Grout, Brian T. Downs. "A Brief
Tutorial on Mistake-proofing, Poka-Yoke, and ZQC",
1068:
940:
662:
524:
which provide for, and limit, damage, should severe events such as 500-year floods occur.
370:
351:
339:
290:
228:
193:
55:
39:
885:
702:
632:
463:
444:
410:
prevents damage by short-circuiting the power supply as soon as it detects overvoltage.
294:
35:
1062:
652:
520:
and the Thames
Estuary 2100 Plan which incorporate flexible adaptation strategies or
513:
366:
332:
317:
267:
252:
220:
610:, which requires continuous or regular proof that an enemy first-strike attack has
516:, a quality expert. "Safe to fail" refers to civil engineering designs such as the
358:
170:
89:
466:
fail to capture the aircraft, it is able to take off again; this is an example of
419:
47:
is used to examine failure situations and recommend safety design and procedures.
657:
607:
495:
452:
424:
328:
256:
116:
50:
Some systems can never be made fail-safe, as continuous availability is needed.
27:
933:
852:
Manual on
Uniform Traffic Control Devices, Federal Highway Administration, 2003
75:
577:
1037:
592:, "failsafe point" was the term used for the point of no return for American
331:
is dropped to allow the submarine to ascend. The ballast is held in place by
672:
667:
500:
385:
112:
807:
Ready for SIL 4: Modular
Computers for Safety-Critical Mobile Applications
751:
Ready for SIL 4: Modular
Computers for Safety-Critical Mobile Applications
606:(Other nuclear war command control systems have used the opposite scheme,
921:
589:
286:
238:
200:
142:
435:. If the arrested landing fails, the aircraft can safely take off again.
642:
543:
means that a device will not endanger lives or property when it fails.
96:
836:"P2138 DTC Throttle/Pedal Pos Sensor/Switch D / E Voltage Correlation"
281:
The automatic protection of programs and/or processing systems when a
863:"When Failure Is Not an Option: The Evolution of Fail-Safe Actuators"
374:
88:
building alarm systems or smoke detectors. A temperature-sensitive
418:
275:
176:
162:
138:
130:
74:
835:
99:
455:
insertion, the craft would have safely coasted back to Earth.
462:
increases the throttle to full power at touchdown. If the
316:
malfunction or operator error; for example, the failsafe
308:
or function that prevents improper system functioning or
34:
is a design feature or practice that, in the event of a
958:. UK Environment Agency. November 2012. Archived from
552:
doors to prevent unauthorized access to the building.
264:
can often deduce which of the two readings is faulty.
249:. Different results indicate a fault in the system.
141:. The brakes are held in the "off" position by air
43:failure. Since many types of failure are possible,
447:missions to the Moon, the spacecraft was put on a
161:Safety valves – Various devices that operate with
247:same computation using three different systems
406:fails, it can destroy connected equipment. A
8:
518:Room for the River project in Netherlands
705:". AudioEnglich.net. Accessed 2009.12.31
783:(first ed.). Osprey. p. 127.
694:
458:The pilot of an aircraft landing on an
810:. MEN Mikro Elektronik. Archived from
754:. MEN Mikro Elektronik. Archived from
451: — if the engines had failed at
443:Spacecraft trajectory - During early
7:
618:the launching of a nuclear strike.)
14:
1006:Jennifer Weeks (March 20, 2013).
719:What Do You Mean It\'s Fail Safe?
427:to maintain full power during an
45:failure mode and effects analysis
219:Many devices are protected from
1074:Fault-tolerant computer systems
865:. KMC Controls. 29 October 2015
721:. 1990 Rapid Transit Conference
327:The iron pellet ballast on the
985:"Thames Estuary 2100 (TE2100)"
884:Harris, Tom (29 August 2002).
397:Programmable logic controllers
350:, alarm circuits are usually "
150:to indicate low air pressure.)
1:
804:Bornschlegl, Susanne (2012).
748:Bornschlegl, Susanne (2012).
886:"How Aircraft Carriers Work"
498:) devices are also known as
312:degradation in the event of
717:, David B. Rutherford Jr.,
574:inertial navigation systems
1090:
953:"Thames Estuary 2100 Plan"
21:Fail-safe (disambiguation)
18:
16:Design feature or practice
528:Fail safe and fail secure
522:climate change adaptation
293:. A classic example is a
289:failure is detected in a
781:A Dictionary of Aviation
779:Wragg, David W. (1973).
211:Electrical or electronic
188:railway semaphore signal
173:as fail-safe mechanisms.
987:. UK Environment Agency
567:Fail active operational
539:are distinct concepts.
423:An aircraft lights its
449:free return trajectory
436:
182:
80:
71:Mechanical or physical
594:Strategic Air Command
422:
348:industrial automation
322:railway block signals
272:Conflict Monitor Unit
180:
78:
512:term, was coined by
382:HVAC control systems
299:Fail-safe (computer)
19:For other uses, see
934:MistakeProofing.com
648:Elegant degradation
483:colour light signal
390:pneumatic actuators
939:2016-03-19 at the
890:HowStuffWorks, Inc
683:Safety engineering
475:railway signalling
468:fail-safe practice
437:
278:in all directions.
270:controllers use a
215:Examples include:
183:
83:Examples include:
81:
1012:The Daily Climate
840:www.obd-codes.com
638:Dead man's switch
490:Other terminology
415:Procedural safety
408:crowbar (circuit)
404:voltage regulator
306:control operation
283:computer hardware
243:redundant systems
121:dead man's switch
106:dead man's switch
60:contingency plans
1081:
1053:
1052:
1050:
1048:
1034:
1028:
1027:
1025:
1023:
1014:. Archived from
1003:
997:
996:
994:
992:
981:
975:
974:
972:
970:
964:
957:
949:
943:
930:
924:
906:
900:
899:
897:
896:
881:
875:
874:
872:
870:
859:
853:
850:
844:
843:
832:
826:
825:
823:
822:
816:
801:
795:
794:
776:
770:
769:
767:
766:
760:
745:
739:
728:
722:
712:
706:
699:
678:Safe-life design
628:Fail-fast system
555:The opposite of
460:aircraft carrier
433:aircraft carrier
429:arrested landing
373:(NC) poles of a
320:used to control
233:current limiting
229:circuit breakers
194:Isolation valves
146:may also employ
1089:
1088:
1084:
1083:
1082:
1080:
1079:
1078:
1059:
1058:
1057:
1056:
1046:
1044:
1036:
1035:
1031:
1021:
1019:
1018:on May 13, 2013
1005:
1004:
1000:
990:
988:
983:
982:
978:
968:
966:
962:
955:
951:
950:
946:
941:Wayback Machine
931:
927:
907:
903:
894:
892:
883:
882:
878:
868:
866:
861:
860:
856:
851:
847:
834:
833:
829:
820:
818:
814:
803:
802:
798:
791:
778:
777:
773:
764:
762:
758:
747:
746:
742:
729:
725:
713:
709:
700:
696:
691:
663:Fault tolerance
624:
586:
569:
530:
492:
464:arresting wires
417:
371:normally closed
352:normally closed
340:nuclear reactor
291:computer system
245:to perform the
213:
73:
68:
56:fault tolerance
40:inherent safety
24:
17:
12:
11:
5:
1087:
1085:
1077:
1076:
1071:
1061:
1060:
1055:
1054:
1042:Dictionary.com
1029:
998:
976:
944:
925:
901:
876:
854:
845:
827:
796:
789:
771:
740:
723:
707:
693:
692:
690:
687:
686:
685:
680:
675:
670:
665:
660:
655:
650:
645:
640:
635:
633:Control theory
630:
623:
620:
585:
584:Failsafe point
582:
568:
565:
529:
526:
491:
488:
487:
486:
479:
471:
456:
445:Apollo program
416:
413:
412:
411:
400:
394:
378:
362:
355:
344:
336:
333:electromagnets
325:
302:
295:watchdog timer
279:
265:
250:
236:
212:
209:
208:
207:
204:
197:
191:
175:
174:
159:
151:
124:
110:
93:
72:
69:
67:
64:
15:
13:
10:
9:
6:
4:
3:
2:
1086:
1075:
1072:
1070:
1067:
1066:
1064:
1043:
1039:
1033:
1030:
1017:
1013:
1009:
1002:
999:
986:
980:
977:
965:on 2012-12-10
961:
954:
948:
945:
942:
938:
935:
929:
926:
923:
919:
915:
914:0-915299-17-8
911:
905:
902:
891:
887:
880:
877:
864:
858:
855:
849:
846:
841:
837:
831:
828:
817:on 2019-06-09
813:
809:
808:
800:
797:
792:
790:9780850451634
786:
782:
775:
772:
761:on 2019-06-09
757:
753:
752:
744:
741:
737:
733:
727:
724:
720:
716:
711:
708:
704:
698:
695:
688:
684:
681:
679:
676:
674:
671:
669:
666:
664:
661:
659:
656:
654:
653:Failing badly
651:
649:
646:
644:
641:
639:
636:
634:
631:
629:
626:
625:
621:
619:
617:
613:
609:
604:
602:
601:
595:
591:
583:
581:
579:
575:
566:
564:
562:
558:
553:
550:
546:
542:
538:
534:
527:
525:
523:
519:
515:
514:Shigeo Shingo
511:
507:
503:
502:
497:
489:
484:
480:
476:
472:
469:
465:
461:
457:
454:
450:
446:
442:
441:
440:
434:
430:
426:
421:
414:
409:
405:
401:
398:
395:
391:
387:
383:
379:
376:
372:
368:
367:normally open
363:
360:
356:
353:
349:
345:
341:
337:
334:
330:
326:
323:
319:
318:track circuit
315:
311:
307:
303:
300:
296:
292:
288:
284:
280:
277:
273:
269:
268:Traffic light
266:
263:
258:
254:
253:Drive-by-wire
251:
248:
244:
240:
237:
234:
230:
226:
222:
221:short circuit
218:
217:
216:
210:
205:
202:
198:
195:
192:
189:
185:
184:
179:
172:
171:safety valves
168:
164:
160:
156:
152:
149:
144:
140:
136:
132:
128:
125:
122:
118:
114:
111:
108:
107:
101:
98:
95:Some airport
94:
91:
86:
85:
84:
77:
70:
65:
63:
61:
57:
53:
48:
46:
41:
37:
33:
29:
22:
1045:. Retrieved
1041:
1032:
1020:. Retrieved
1016:the original
1011:
1001:
989:. Retrieved
979:
967:. Retrieved
960:the original
947:
928:
904:
893:. Retrieved
889:
879:
867:. Retrieved
857:
848:
839:
830:
819:. Retrieved
812:the original
806:
799:
780:
774:
763:. Retrieved
756:the original
750:
743:
726:
714:
710:
697:
615:
614:occurred to
611:
605:
598:
587:
570:
560:
556:
554:
549:fail-closed,
548:
547:also called
545:Fail-secure,
544:
540:
536:
532:
531:
505:
499:
493:
467:
438:
425:afterburners
359:current loop
310:catastrophic
271:
214:
154:
120:
117:snow blowers
104:
90:fusible link
82:
49:
31:
25:
1047:November 7,
1038:"fail-safe"
658:Fail-deadly
608:fail-deadly
588:During the
578:pitot tubes
557:fail-closed
537:fail-secure
494:Fail-safe (
453:lunar orbit
329:Bathyscaphe
257:fly-by-wire
155:fail-secure
129:on railway
28:engineering
1063:Categories
895:2007-10-20
821:2015-09-21
765:2015-09-21
736:0710602383
689:References
559:is called
431:aboard an
135:air brakes
127:Air brakes
113:Lawnmowers
52:Redundancy
1022:March 20,
991:March 20,
969:March 20,
703:Fail-safe
673:Interlock
668:IEC 61508
600:Fail-Safe
561:fail-open
541:Fail-safe
533:Fail-safe
506:Poka-yoke
504:devices.
501:poka-yoke
496:foolproof
386:actuators
369:(NO) and
343:continue.
32:fail-safe
937:Archived
922:19740349
869:12 April
738:, p.144.
622:See also
590:Cold War
510:Japanese
287:software
260:and the
239:Avionics
201:elevator
148:wig wags
143:pressure
66:Examples
643:EIA-485
616:prevent
314:circuit
158:access.
97:baggage
36:failure
1069:Safety
920:
912:
787:
734:
297:. See
241:using
163:fluids
139:trucks
131:trains
963:(PDF)
956:(PDF)
815:(pdf)
759:(pdf)
402:If a
338:Many
276:green
231:, or
225:fuses
167:fuses
100:carts
58:, or
1049:2021
1024:2013
993:2013
971:2013
918:OCLC
910:ISBN
871:2021
785:ISBN
732:ISBN
715:e.g.
576:and
535:and
508:, a
375:SPDT
255:and
165:use
133:and
115:and
30:, a
612:not
473:In
380:In
346:In
285:or
262:ECU
223:by
199:An
169:or
137:on
26:In
1065::
1040:.
1010:.
916:.
888:.
838:.
603:.
580:.
563:.
384:,
304:A
227:,
186:A
54:,
1051:.
1026:.
995:.
973:.
898:.
873:.
842:.
824:.
793:.
768:.
701:"
470:.
301:.
123:.
109:.
23:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.
