| abstract
| - Thanks to Finagle's Law (or just ignorant writers), on TV a system's failsafe will never work when it's needed the most, nor will it actually be failsafe -- usually it'll be quite the opposite, sometimes referred to as 'fail deadly'. The only reference to an emergency shutdown you'll be likely to hear is a panicked tech yelling "It won't shut down!" as the system runs wild. It's supposed to make the phenomenon of Explosive Instrumentation more plausible, by acknowledging it's not supposed to blow up in your face, but a failure elsewhere of a key safety lockout means it can, and will. It also justifies how something that is supposedly governed by industry-wide standards, regulatory law, and years of engineering refinements could go so horribly wrong in the first place. What's a failsafe? Well, the world is full of a lot of dangerous machinery and devices. Huge electrical turbines, nuclear reactors, trains speeding down the tracks at 300 km/h, semi trucks that weigh in excess of 40 tons loaded rolling down the freeways and that's just the stuff that isn't designed to kill anyone. There's plenty of stockpiled bombs, missiles and such out there too. These are all things that would cause some spectacular collateral damage if they suddenly went haywire. Thus, in the real world, things that have the potential for very destructive damage not only undergo strict maintenance procedures, but usually have circuit breakers, password protection, arming/firing keys, backups for redundancy, and prominent big bright red emergency handles that can shut the whole system down if pulled -- and, more to the point, they usually have a totally separate set of safety features, designed to trigger automatically when the system's operating parameters get too far outside safe norms, which will (ideally) shut down the whole shebang without making the situation worse than it already is. If something is described as "fail safe", it means that it has been designed and built so that a critical mechanical or operator failure will cause the system in question to default to its safest possible state, quickly and automatically, without any human intervention. It's worth noting that while a triggered failsafe is generally designed to be safe for people, it can be amazingly destructive to the equipment in question. Up to and including "your multi-million-dollar installation is not just wrecked, it's also a toxic-waste site". Unfortunately, this can provide a motive for the operators to sabotage the failsafe.... Failsafe measures can range from the simple to the complex. From automobile safety glass (it's not intended to shatter at all, but when it does, it shatters into relatively harmless little crumbs instead of huge deadly shards with edges like scalpel blades) to the safety key on a "jet ski" (it's tied to the operator by a lanyard, so that should they fall off, it will pull out the key and stop the craft instead of leaving it driverless) to the modern air brake system on a train (air pressure is used to keep the brakes off, so that a loss of pressure causes the brakes to come on and the "dead man's handle" in the locomotive will automatically apply the brakes if the engineer is somehow incapacitated). Modern nuclear reactors are possibly the most thorough example of the 'fail safe' principle available. (In current designs, excess heat will interrupt the fission reaction and shut down the reactor simply by heat expansion of some key components; the core is designed so that a sufficient degree of heat expansion results in the fuel elements being too widely separated to sustain a reaction, so that the reactor cools down instead of overheating until the core melts. If that's not enough, the SCRAM (emergency shutdown) system is usually implemented as a separate set of control rods, dedicated to emergency-shutdown use and suspended above the reactor by electromagnets, or by mechanical clamps sprung to pop open when electrical power is removed; that way, even a complete power failure will still release the rods to drop into the core and starve out the reaction (some designs even include a spring-loaded backup for that system, just in case gravity stops working). Strongly safety-oriented designs, such as the Canadian CANDU, also include the ability to inject a neutron-absorbing liquid into the core, so that even if the SCRAM rods become completely inoperable -- say, if there's a fire within the containment building that warps the rods or their channels so that they get stuck instead of dropping into the core -- there's still a way to bring a runaway reaction under control before it turns into a catastrophe. (This is very likely to completely wreck the reactor core, of course -- but, most often, by the time things are bad enough that "fail safe" comes into play, whatever device is failing is already a lost cause, and the idea is to limit the extent of the damage as much as possible.)) All of this is ignored in fiction-land, where the hero will have to go into that burning building or board that Runaway Train and manually stop the catastrophe themselves, since the folks at Mission Control have already tried to stop it but every emergency system failed to respond. Of course, all of this is based on a completely ass-backwards understanding of the concept, but what else can you expect from Hollywood? In Real Life most disasters are caused by a combination of different failures, or more commonly different errors, which when combined manage to defeat normal safety measures. This is where 'fail safe' can really shine; a truly fail-safe design takes human factors into account, which is a nicer way of saying that sometimes people royally screw up and it's necessary to engineer for that kind of failure too. Remember, Plane and train crashes tend to make the news because they don't happen every day. The "human-proof" failsafe design is getting more and more prominent nowadays exactly because the biggest techno-catastrophes in history had operating errors on a Too Dumb to Live level as key precursors. Things hardly "just blow up". The infamous Chernobyl disaster was only made possible by operators intentionally disengaging all of the reactor's safety features to conduct an ill-advised experiment. Later investigation concluded that just a fraction of those systems left online would have likely prevented the catastrophe -- as they were designed to. The only slightly less famous Three Mile Island disaster had a faulty critical component that was discovered in time but neither replaced nor properly bypassed. The Bhopal toxic spill happened after literally years of negligence by the operators of both the physical condition of the equipment and established safety protocols when handling poisonous materials, basically operating unsafely and relying on luck until it ran out. Fukushima Daiichi was being operated well past when safer reactor designs had been invented, was built with less precautions for both earthquakes and tsunami than it should have been, and had several parts (that would be broken in the earthquake) in disrepair or lacking inspection. And so on... Compare the way Hollywood treats personal vehicles when the owner is always Driving Like Crazy, bribing the traffic cops and leaving the car in a state of neglect, a falling-apart car that endangers it's occupants and everyone around it is frequently treated as comedy. See also No OSHA Compliance, Override Command, Deadfoot Leadfoot, Inventional Wisdom. Often invoked in a chain of Disaster Dominoes. Examples of Failsafe Failure include:
|
![[RDF Data]](/fct/images/sw-rdf-blue.png)