Fail Safe Considerations in Controls – Introduction
When selecting components and doing a control system design, the failure state(s) of the various devices and the controls need to be considered.
Once the final selections have been made, another review of the failure modes of the various devices and the design should again be made prior to making any purchases (or procurements).
The most common reason I still encounter for using devices or designs that do not fail safe, is simply that failure of the device or design is not considered.
What is Fail Safety?
In looking up the definition of what constitutes something that is “fail-safe” this is the definition used in this article and is adapted from http://www.audioenglish.org/dictionary/fail-safe.htm.
FAIL-SAFE (noun) – The noun FAIL-SAFE has 1 sense:
1. a mechanism (or system) capable of returning to a safe state in case there is a failure or malfunction.
To this definition I would add that in practice the engineer is looking at the most likely failure mode of a device and minimizing the downside risk of a device failure on some operation.
Examples
The two perhaps most common examples of fail safe design in controls engineering is the wiring of a stop pushbutton into a PLC input, and the selection and wiring of limit sensors.
Stop Pushbutton Example
In the early days of PLCs, it was common to see the stop pushbutton wired into the PLC as a normally open contact. This means that to stop something, the input had to be on momentarily. It didn’t take long to figure out that if the stop input wasn’t wired up correctly, that it was not possible to stop something once you got it going. The current practice is to wire the PLC input for a stop button as a normally closed contact (see image at left) so that the input must receive power in order to allow the output to turn on and run. This is generally the more desirable failure scenario. (Note that in the logic the stop is programmed as a normally open contact).
Limit Sensor Example
In the case of limit sensors such as mechanical limit switches, photoeyes or proximity switches to sense the end travel of a mechanism, the failure state of the devices needs to be considered. If the mechanism fails to stop at the end limits and this can cause undesired consequences (such as equipment damage or personnel injury/death), the limit sensors are typically selected to be normally opened but held closed when the mechanism is within its operating limits. When the mechanism is at a limit, then the sensor for that limit would no longer be held closed and the mechanism would stop (going in that direction). When a failure occurs, such as a wire falls off, the power to the sensor fails, or the sensor fails opened, then the mechanism will stop as well.
An alternative to the above solution would be to choose a normally closed output that opens when it sensed the end of limit flag on the mechanism. This is not as positive a solution, but sometimes it is not practical to add the necessary hardware for the limit sensors to be actuated for the entire permitted range of motion.
Solid state devices however often fail shorted (or on/closed). What to do about that? This also needs to be considered.
In the case where the device could fail in the “on” or “off” state a secondary method often needs to be introduced to verify (and help guarantee) that all is operating as expected. Perhaps the most straight forward solution is to add a second sensor and some logic to detect a single failure. If one of the sensors switches, and the other sensor does not (within a reasonable period of time), then the system would stop and an alarm would be triggered identifying the problem to the operator and/or to maintenance.
While fail-safety should always be considered to maximize reliability, it is not always necessary to do so if the consequences of failure are not serious or if the design has a certain level of inherent fail safety. For example if the mechanism does not stop due to a sensor that has more than 1 failure state, and the worst that happens is that the mechanism runs into some mechanical stops and the drive trips out on overload without causing any damage or injury, then a single sensor may be adequate. However even in this case, it might be worth looking for a different type of sensor that has a more well known failure state and design around that, especially if the cost is insignificant.
Often just choosing the right sensor can improve fail safety without adding cost.
Another consideration is getting the sensor to actuate reliably. So it is important to check the installation for anything that looks marginal. For example, with slotted adjustments I will often ask that the adjustment be pinned once everyone is satisfied with the reliability of the operation to prevent any movement of the sensor due to loosening of the adjustable settings. Using lock washers is another option. I’m not so trusting of slotted adjustments without pinning together (or otherwise securing) the two moving surfaces.
Fail Safety is NOT typically a guarantee
Fail Safe Design Limitations
Fail safe design does not mean it guarantees safety. It may just mitigate safety. If the simple solutions are not adequate (or seem questionable) then alternatives need to be considered to reduce the risk to acceptable levels. This gets into more advanced subjects of performing a formalized Hazard Analysis and determining the required Safety Integrity Levels. See references below for additional resources.
Conclusion
For this article I want to mainly point out that paying attention to the failure state of a device or system can result in no and low cost solutions that can significantly improve both the reliability and safety of a machine or process. It can also help point to the need for a more rigorous safety review.
__________________________________
References
Fail Safe articles
https://en.wikipedia.org/wiki/Fail-safe
http://www.aiche.org/chenected/2011/02/principle-fail-safe
http://www.allaboutcircuits.com/textbook/digital/chpt-6/fail-safe-design/
Electronics Failure Modes
https://en.wikipedia.org/wiki/Failure_of_electronic_components
Hazard Analysis
https://en.wikipedia.org/wiki/Hazard_analysis
Safety Integrity Level (SIL)
https://en.wikipedia.org/wiki/Safety_integrity_level
__________________________________
Created: 10/06/2016 1:09 pm CST; Updated 10/21/2016 3:50 pm CST
for Publishing on 10/10/2016 at 6:00 am CST
Harold On Controls 
Leave a Reply