Analysis: Failsafe Failure
Failsafe measures can range from the simple to the complex. From automobile safety glass (it's not intended to shatter at all, but when it does, it shatters into relatively harmless little crumbs instead of huge deadly shards with edges like scalpel blades) to the safety key on a treadmill or personal watercraft (it's tied to the operator by a lanyard, so that should they fall off, it will pull out the key and stop the craft instead of leaving it driverless) to the modern air brake system on a train (air pressure is used to keep the brakes off
, so that a loss of pressure causes the brakes to come on
and the "dead man's handle" in the locomotive will automatically apply the brakes if the engineer is somehow incapacitated).
Modern nuclear reactors
are possibly the most thorough example of the 'fail safe' principle available. (In current designs, excess heat will interrupt
the fission reaction and shut down the reactor simply by heat expansion of some key components; the core is designed so that a sufficient degree of heat expansion results in the fuel elements being too widely separated to sustain a reaction, so that the reactor cools down instead of overheating until the core melts. If that's not enough, the SCRAM (emergency shutdown) system is usually implemented as a separate set of control rods, dedicated to emergency-shutdown use and suspended above the reactor by electromagnets, or by mechanical clamps sprung to pop open when electrical power is removed; that way, even a complete power failure will still release the rods to drop into the core and starve out the reaction (some designs even include a spring-loaded backup for that
system, just in case gravity
stops working). Strongly safety-oriented designs, such as the Canadian CANDU, also include the ability to inject a neutron-absorbing liquid into the core, so that even if the SCRAM rods become completely inoperable — say, if there's a fire within the containment building that warps the rods or their channels so that they get stuck instead of dropping into the core — there's still a way to bring a runaway reaction under control before it turns into a catastrophe. (This is very likely to completely wreck the reactor core, of course — but, most often, by the time things are bad enough that "fail safe" comes into play, whatever device is failing is already a lost cause, and the idea is to limit the extent of the damage as much as possible.))
All of this is ignored in fiction-land, where the hero will have to go into that burning building or board that Runaway Train
and manually stop the catastrophe themselves, since the folks at Mission Control
have already tried to stop it but every emergency system failed to respond. Of course, all of this is based on a completely ass-backwards understanding of the concept, but what else can you expect from Hollywood?
It's worth noting that while a triggered failsafe is generally designed to be safe for people
, it can be amazingly disruptive and destructive to the equipment
in question. Tripped breakers have to be reset, safety locks have to be un-locked and readied again, paperwork has to be filled out, and so on. The mere act of pulling the emergency brake when someone wanders onto the tracks will stop a train, but it will also likely put a lot of wear on the brakes, damage the cargo, and make the train and every other one on the same track fall behind schedule. When the act of preventing a minor accident has such major economical costs, this can provide a motive for the operators to try and bypass the failsafe
, with predictable results. In fact, this desire to not lose a multi-million-dollar installation over a minor slip up leading to a total lack of safety features is probably a realistic way to Hand Wave
this trope into existence, yet few instances ever seem to go this route.
In Real Life
most disasters are caused by a combination of different failures
, or more commonly different errors
, which when combined manage to defeat normal safety measures. This is where 'fail safe' can really shine; a truly fail-safe design takes human factors into account, which is a nicer way of saying that sometimes people royally screw up and it's necessary to engineer for that kind of failure too. Remember, Plane and train crashes tend to make the news because they don't happen every day
The "human-proof" failsafe design is getting more and more prominent nowadays exactly because the biggest techno-catastrophes in history had operating errors on a Too Dumb to Live
level as key precursors. Things hardly "just blow up". The infamous Chernobyl disaster was only made possible by operators intentionally disengaging all of the reactor's safety features to conduct an ill-advised experiment. Later investigation concluded that just a fraction of those systems left online would have likely prevented the catastrophe — as they were designed to. The only slightly less famous Three Mile Island disaster had a faulty critical component that was discovered in time but neither replaced nor properly bypassed. The Bhopal toxic spill happened after literally years of negligence by the operators of both the physical condition of the equipment and established safety protocols when handling poisonous materials, basically operating unsafely and relying on luck until it ran out
. Fukushima Daiichi
was being operated well past when safer reactor designs had been invented, was built with less precautions for both earthquakes and tsunami than it should have been, and had several parts (that would be broken in the earthquake) in disrepair or lacking inspection.
And so on...