The Principle of Fail-Safe

Peter Herena

Chemical Engineer with 15 years of experience in controls, software and safety systems. Presently employed by Baker Engineering & Risk Consultants, specialists in blast effects analysis, blast scenario modeling, process safety and reliability engineering. Experience includes 3 years with Kenexis Consulting, an engineered safeguard consulting company, and 10 years at UOP, a petrochemical technology licenser.

Skilled at marketing, communication and customer relations. Trained in conflict resolution with extensive experience in meeting facilitation. Trusted to successfully resolve sensitive and high-profile assignments for critical customers.

Deep experience in process, controls, software and instrumentation. Mastery in all phases of SIS safety lifecycle as applied to process industries. Broad knowledge of hazards associated with numerous process sectors, as well as risk analysis techniques.

Demonstrated organizational leadership at every career level, with a focus on developing best practices and streamlining work processes. Supported AIChE and ISA in technical and leadership capacities at local level.

Specialties: Safety Instrumented System Engineering
Process Hazards Analysis (PHA) / Hazard Identification
SIL Selection
SIL Verification
Quantitative Risk Analysis (QRA)
Fault Tree Analysis
Event Tree Analysis
What-If Analysis
Root Cause Analysis
Hazard and Operability (HazOp) Facilitation
Process Safety Management (PSM)
PSM Auditing
Control System Design and Field Commissioning
Software Development
Process Troubleshooting
Chemical Engineering

Swailes Bailey's Terminator Matterhorn at the ...
Image via Wikipedia
Recently, I took my kids to an indoor amusement park, where they really loved a particular ride. It was one with a fixed, rotating center and a bunch of arms protruding from it. The arms all whirled around at the speed where 99.9% of kids were not likely to vomit. A little pod was attached to the end of each arm, and inside the pod "cockpit" was a lever that allowed the pod to go up or down. So generally speaking how does the ride work? The arms that go up and down are operated hydraulically. When you command the pod to go up, oil is pumped into a cylinder and allows the arm linkage to extend and increase altitude. When you command the pod to go down, oil is released from the cylinder to the storage reservoir and allows the arm linkage to contract and decrease altitude. While I was watching my kids spin around at what would be a dangerous height and speed in any other circumstance, I began thinking about how we (including me) take for granted the concepts of engineered safety. The amusement ride is only one example of what happens to every other product we use or consume. Rest assured, someone has considered safety (hopefully) when designing the planes and trains you travel on , the car you drive, the super volume hairspray you use, and the amusement ride your kids ride for a dollar. And then (hopefully) the operating company has maintained, operated, and tested the ride equipment up to standards so that riding it is safer than eating the deep fried bacon-wrapped corndog on sale at the other side of the fair.

Designed for success...and for failure

While designing something that never fails is a lofty and admirable goal, it's not wholly realistic, and thus only part of the picture. In reality, good engineering considers both success and failure. Designing a product that works well is one half, and a engineering the same product to fail without disaster is the other. This is what engineers refer to as designing a system to the principle of "fail-safe." That means that it is designed in a way so that when a failure does occur, the device will tend to fail in a predictable manner to a "safe state." But before an engineer does anything else, she needs to consider, "what is the safe state?" In the case of the park ride, forcing the pods to the ground is better than forcing the pods to stay up in the air, because it's easier to remove passengers when they are at ground level, and also because passengers are less likely to be injured when they're at ground level. Once that is understood, the designers of this system are likely to design it so that if something fails--such as, for example the pump quits or a part in the oil valve breaks--the cylinder oil will be released and the pods will automatically go to the lower position. There are also measures designed into the equipment that force the oil to enter and exit the cylinder at a maximum speed so the pods don't crash to the ground and injure the occupants!

Fail-safe and the engineer

As engineers we sometimes find designing equipment to be well-built is much easier than designing it to fail predictably. In fail-safe design, consider the worst-case scenario if a key part suddenly stopped functioning. If this outcome is intolerable, then safeguards must be engineered to mitigate or prevent that outcome. Designing something to be fail-safe is a challenging thought process but an important one. Whether it is an amusement park ride, subsea safety valve, or jet engine, you can be sure that at some point something inside of it is going to break.

Have you done enough to prevent a simple failure from escalating into the unthinkable?

Comments

Submitted by ehorahan (not verified) on Thu, 02/24/2011 - 15:21

Permalink

Peter - Great first post! You are absolutely right on how important it is to design safe failure into products where lives and ecosystems are at stake. Though it may be more difficult it can not only save lives, but save one's company from lawsuits and bad press. My company designs electronic devices that should just shut down if something goes wrong. We analyze all return failures and all of the ones I have encountered have failed in a way that kept the consumer safe.

Submitted by Peter (not verified) on Fri, 02/25/2011 - 18:50

Permalink

Thanks ehorahan! It sounds like your company takes into consideration how their devices will be used by consumers and designs for safety, which is laudable. In the case of process industries, the worst thing is to assume that out-of-the-box settings of a "safety device" are correct. The end-user operator must actively consider these things because what is considered "safe state failure" in one service is anything but safe in another. Cheers!

Submitted by Aurian (not verified) on Mon, 02/28/2011 - 05:31

Permalink

I agree with Elizabeth, Peter - good first post :-). I am currently working in offshore tech safety, and this is pretty relevant. I think one of the greatest dichotomies that we constantly fight is the fact that an engineer has to maintain their focus on a fail-safe design while constantly convincing the commercial stakeholders that failure is not really a possibility. It's pretty important to remember to step back once and a while and consider your design from a different angle, so that you aren't becoming too focused on "well built" at the risk of "fail-safe."

Submitted by johnvasko (not verified) on Tue, 03/08/2011 - 16:22

Permalink

I know that this might sound like a simple example but I recently seriously cut my thumb on a scrap of metal that wraps around a glass bottle when the cap is unhinged from it. http://screencast.com/t/JfhPh3lz It was badly made. I should have removed the bottom rung of that cap but didn't and my thumb got really cut up. I think about something as simple as this and how if the cap worked properly, I wouldn't have gotten cut. Hence, taking safety for granted. A well-designed product or process is often taken for granted with respect for safety - even as something as simple as a bottle cap.