Fail-safe

from Wikipedia, the free encyclopedia

Fail-safe ( English for “fail -safe ” or “ fail-safe ”, composed of fail , “fail” and safe , “safe”) describes any property of a system that leads to the least possible damage in the event of a failure . In the case of a machine or system, errors are systematically assumed and then attempts are made to make the associated effects as harmless as possible. This principle is used in all technical areas. In many cases there are industry-specific safety regulations for this. In a figurative sense, in addition to component or power failure, operating errors are also considered.

Sometimes the term fault tolerance is also used in German in this context . This term is more about user-friendliness . In any case, this term is rarely associated with the consideration of a risk to health and the environment.

The term failure safety does not refer to an associated hazard, but to the reliability of a system.

Error consideration

The standard questions are what happens if

These questions are usually examined and assessed in an FMEA (Failure Mode and Effects Analysis).

More complex questions arise when

  • several problems interact,
  • problems are intentionally created.

Such complex system-technical issues are z. B. with the methods of reliability engineering , such as fault tree or event tree analysis .

In individual cases, further questions may be useful or necessary. It is not permissible to limit the error analysis to the control or the electrical system. Likewise, consideration must not be suppressed by assessments such as "rare" or "unlikely". Likewise, the assumption of a failure must not be ruled out simply by "oversizing" a structural detail. Example: the pipe breaks (even if it is double or triple the wall thickness). The consequences of such a break must be analyzed.

The operator is accused of misconduct . Then, conversely, the operator cannot be regarded as a guarantee for the safe state. If you do not come to a satisfactory result, then planning redundant components can be a way out. With regard to the topic of safety, such components are then necessary and not superfluous .

Examples

Railway construction

Both shape signals show stop, the pre-signals “expect stop”.

Main signals in railway operations basically indicate two terms: stop and travel. Your task is to let only one train run in a block section . A signal and its control are constructed in such a way that in the event of an error it assumes or maintains the stop concept. In addition, effective train control systems are now coupled with the signals, which automatically leads to an emergency brake when a signal indicating a stop is passed. In the event of an error, no train will drive into the blocked route section.

In Central Europe, mechanical signals were designed in such a way that the signal wing signals stop when it is in a horizontal position and that it is moving at an angle upwards. If a strand of the wire pull cable breaks, the tensioning mechanism pulls the signal over the intact strand against a stop into the stop position. If the linkage on the signal mast is separated at any point or if a transmission rod breaks, the wing (or wings) automatically fall into the holding position due to gravity. Particularly in the case of railway companies in Great Britain, form signals were and are customary in which the concept of travel is formed by a wing pointing downwards at an angle ("lower quadrant"). Due to the shape of the wing base plate, these signal wings also reach the stop position if the rod breaks. That is the construction in the fail-safe method. Disturbances have an adverse effect on operations, but on the safe side. This principle also applies to the railway brake : During the journey, the main air line must be under pressure so that the brakes release. If a clutch breaks, and with it the brake line, the main air line is vented in both parts of the train and rapid braking occurs.

Use in aircraft construction

The fail-safe method is used in many areas of aircraft construction. It assumes that the components will fail over time due to the constantly changing loads. To prevent the system from failing, this philosophy is based on the so-called fail-safe construction. The construction is statically indeterminate several times , so that if one component fails, another component can take over its task. At least the safe load (max. Operating load) must be absorbed by the neighboring part. An example from aircraft construction are crack stoppers that are intended to prevent cracks from getting larger or the bolts that are used to fasten the engines. These are available twice (bolt in bolt) and each designed for the maximum load.

A regular inspection to identify cracks in good time is essential with this method. Therefore, the damage must be recognizable during regular routine examinations. The failed component must then be replaced as soon as possible. A simple exchange is a prerequisite for the fail-safe design.

Modelling

A fail-safe module is an assembly which, if the receiver receives unreliable signals, triggered by weak radio reception or insufficient battery power, performs a certain action in the model, e.g. actuates the brake system. The action in the fail-safe case can be set with good modules. This is to prevent the model from moving in an uncontrolled manner and possibly being destroyed or causing damage. This is mostly used on car or airplane models.

Before the introduction of remote control, glider models launched by hand or by means of a rubber or cable pull were firmly trimmed for altitude-saving circles and simply left to the updraft. If the model happens to stay in a - in principle, favorable - updraft for too long, there is a risk that the model will get out of sight or otherwise be transported beyond reach. A thermal brake is installed for this purpose: a glowing fuse, depending on the length prepared, triggers the actuation of the horizontal stabilizer after a predetermined time so that the model descends quickly.

mechanical engineering

Fail-safe is a construction method to detect the occurrence of errors in systems and to bring a machine into a safe state.

With static fail-safe, components are attached and connected to a control system in such a way that the component creates a safe state in the event of failure. For example, a sensor is attached to a monitoring system in such a way that it is operated in the normal state and wired in such a way that it applies voltage to the evaluating device. If the actuation is now removed or a wire break occurs, the evaluating device detects the same state as in the event of a sensor error and stops the machine. The static fail-safe is not tamper-proof because it is possible to manipulate the component in such a way that the evaluating device is simulated a safe state (e.g. via a wire bridge, an element that actuates the sensor in another way). Static fail-safe is possible for both sensors and actuators .

The dynamic fail-safe monitors changes in the status of a connected component. Reactions to a sensor are not triggered by the state of the sensor itself, but by a change in state. A plausibility check is also carried out for sensors that regularly change their status (for example in every machine cycle). Depending on the machine position, the sensor must assume a certain state at a previously determined position. Dynamic fail-safe is only possible for sensors. The scope of sensors and actuators with fail-safe logic in a machine is determined on the basis of a risk analysis .

literature

  • Christian Wissner: Contributions to fail-safe design. Scientific Publishing, Karlsruhe 2010, ISBN 978-3-86644-520-8 .
  • Jody Zall Kusek, Marelize Goergens Prestidge, Billy C. Hamilton: Fail-Safe Management. The World Bank, Washington 2013, ISBN 978-0-8213-9896-8 .

See also

Further construction philosophies are the fail-safe method, safe-life and the damage-tolerance method. The fail-safe method represents an economically reasonable compromise between the methods mentioned above.

Web links