History Main / FailSafeFailure

* Two ''ComicBook/SpiderMan'' examples, involving the same robot:
** In the aftermath of the ''Acts of Vengeance'', the defeated Loki tried to get revenge by destroying New York by stealing control of three Sentinels built by Sebastian Shaw, and combining them into the titanic Tri-Sentinel, which he then ordered to destroy a nuclear power plant. As Spider-Man (who possessed the Captain Universe power) struggled to stop the thing, Shaw tried to activate a failsafe he had placed in the three Sentinels in the event they turned on him (As Sentinels often do.) Simply put, the program would reveal to a Sentinel that, since their abilities were "inherited" and improved upon from the original Mach-1 Sentinels, they are technically mutants. In theory, this would act as a LogicBomb, causing a rogue Sentinel who has this revelation thrust upon it to destroy itself, as its directive is to destroy mutants. Unfortunately, Loki's sabotage had seriously screwed up the Tri-Sentinel's programming, and the failsafe didn't do anything more than confuse it for a couple of minutes. Still, that small delay was enough for Spidey to bring the Uni-Power to its full potential and blow it to dust in a climactic finish.

* In ''Literature/TheMartian'', in the events of a failure of the hab's main communication equipment, the Ares III mission had three redundant comm devices... unfortunately for Mark, they were all in the now-departed Mars Ascent Vehicle.

* In ''WesternAnimation/StarWarsTheCloneWars'' episode '[[Recap/StarWarsTheCloneWarsS7E9OldFriendsNotForgotten Old Friends not Forgotten]]'' a clone pilot is stuck in a crashing fighter, which does have an ejector seat, but he can't deploy it due to damage to the ship. Ahsoka cuts open the canopy, to which he thanks her before ejecting safely.

[[folder:Real Life]]
* A very very narrow aversion occurred in the [[https://en.wikipedia.org/wiki/1961_Goldsboro_B-52_crash 1961 Goldsboro B-52 crash]], when a B-52 carrying nuclear bombs crashed near Goldsboro, NC. Nuclear weapons are designed with failsafe systems to ensure that a nuclear detonation doesn't accidentally occur, in this case there were four separate switches on the bombs that needed to be armed in order to trigger a nuclear explosion. When the military bomb disposal team found one of the bombs, they discovered that only a single switch was in safe mode, meaning one circuit was all that stood between safety and an approximate 8 mile crater in North Carolina.
* In 2017, Wanna Cry -- a ransomware botnet -- affected more than 20% of hospitals in the UK, later spreading to over 74 countries. The malware was designed to automatically ping an unregistered domain name, and would cease to exist if it found a domain name that actually existed. A twentysomething hacker found this flaw, registered a previously unregistered domain name, and began to intercept the botnet's packets. This registered domain's IP address reached all affected [=PCs=]... shutting down the virus. As Malware Tech, a British research firm, described it: "It thought it was in a sandbox [testing environment] and killed itself." Or, to put it another way, it was the cybersecurity equivalent of launching a missile that will only detonate if it hits a preassigned city ... and having the missile technician add "Mojave Desert" into the missile's launch code database.
* As recounted in the ''Seconds From Disaster'' documentary, the [[http://en.wikipedia.org/wiki/Gare_de_Lyon_rail_accident Gare de Lyon rail accident]] in 1988, where an inbound SNCF commuter train with disabled brakes crashed into a stationary outbound train, was the result of a ''horrible'' chain of errors and system failures that completely overwhelmed the existing failsafe mechanisms. Almost everything that possibly could have gone wrong, did.
* The [[http://en.wikipedia.org/wiki/Moorgate_tube_crash Moorgate Tube crash]] of 1975 highlighted a major flaw in the London Underground's safety precautions, which were designed to withstand an inexperienced or careless driver engaging the brakes late but not to handle a train running towards the end of the line at full throttle. And for reasons never definitively established, the driver was still gripping the DeadMansSwitch right up until the train hit the end of the tunnel.
* The [[http://en.wikipedia.org/wiki/Therac-25 Therac-25]] radiation therapy machine is now used as an example in engineering textbooks of how ''not'' to design a safety-critical system. Through a combination of corporate negligence and incompetent design, it killed or maimed several patients with overdoses of radiation. The machine contained two radiation sources: one with low power for direct use, the other ''100 times more powerful'' to be used only with diffusing hardware. A software module was intended to prevent human error from activating the high-power beam without all its accompanying hardware engaged... but pressing a key at just the right instant would crash that module ''and the operator would have no idea''. '''[[EpicFail Oooops.]]''' The Therac-25 disaster is used to demonstrate several basic design principles:
** Do not reuse existing software after hardware changes.
** Provide human operators with clear and significant error messages.
** Do not rely exclusively on software to verify hardware status.
** Have a clear reporting system for errors and accidents at the corporate and governmental levels.
** Do not assume your software is flawless. [[note]]The machine used essentially the same software as its predecessor, the Therac-20. Because that machine had never had an incident, it was assumed the software was free of bugs. The reason why there weren't incidents earlier was that the Therac-20 had hardware interlocks that made it impossible to switch on the high-power beam without the accompanying hardware in place, not because the software was bug-free.[[/note]]
* Website/DarwinAwards winners/losers often go to extreme lengths to override major failsafes in order to achieve minor objectives. Like [[http://darwinawards.com/personal/personal2000-39.html this man]], who had to try ''really'' hard before he could get run over. Or [[https://darwinawards.com/darwin/darwin2000-10.html the winner]] who tried to unjam a woodchipper without turning it off first and Film/{{Fargo}}-ified himself.
* [[UsefulNotes/RMSTitanic The sinking]] of the ''Titanic'' on 15 April 1912 was so unexpected because of its novel failsafe design, with multiple watertight compartments that should have been able to keep it afloat if any one or two compartments was breached, or even all four of the forward compartments were lost. The bulkheads that were supposed to seal off the compartments, while extending above the waterline, were not sealed at the top, meaning that they could still overflow and fill other compartments if the ship's equilibrium was sufficiently shifted, such as by say ''six'' of the front compartments all filling up due to multiple breaches in the hull along its side. And once the six front compartments flooded, this ''accelerated'' the sinking of the ship as the water weighed down the front of the ship, causing the stern to rise into the air and eventually leading to the ship breaking in half from the strain. The fact that all the water was in the front also hindered the pumps meant to help remove water if the ship flooded, which were at the rear. It's now believed that if there had been no compartments and the ship had flooded evenly, the ship would have sunk much more slowly, allowing help to arrive in time. And of course, the final failsafe on any ship--the lifeboats--failed to save most of the passengers, because there weren't enough of them. The ''Titanic'' had room to carry enough lifeboats, but it sailed with only one-third of its capacity. Contrary to urban legend, this wasn't because the builders thought the ship was unsinkable and dodged regulations; carrying only a fraction of lifeboat capacity was standard practice at the time, based on assumptions about how slowly passenger ships sank--it was expected that help would arrive before the ship had to be completely evacuated and the lifeboats would simply ferry the passengers to the rescue vessels, and several previous disasters involving lifeboats horrifically destroyed by stormy seas while those on the afflicted vessels survived in time for rescue made them seem unreliable in the face of ship design failsafes. The only ships that sailed with enough lifeboats for everybody were warships, which were expected to go down in conditions where they would sink ''fast''. There ''were'' regulations on the bare-minimum number of lifeboats to be carried, but they were based around the weight of the ship, not passenger capacity, and the number aboard ''Titanic'' as-built was already ''over'' that limit. The ''Titanic'' just had the poor luck to sink in a situation where the closest ship (the ''Californian'') couldn't receive her distress calls due to the lack of round-the-clock wireless operations, and the second closest (the ''Carpathia'') was too far away to reach the ''Titanic'' before it sank[[note]]this is where the ship sinking more slowly might have made a critical difference[[/note]].
* The [[UsefulNotes/{{Chernobyl}} Chernobyl Nuclear]] [[http://en.wikipedia.org/wiki/Chernobyl_disaster#The_accident Power Plant]] had all the normal failsafes for its reactor design but operators had deliberately disabled many of them to test a new shutdown procedure.
** Worse, the operators were trying to increase output because the test wasn't working as anticipated. Even worse than that, the shutdown had been scheduled much earlier in the day but minor problems on the grid delayed it. Thus, the crew performing the test were not the ones who had been briefed on it. They mistakenly reduced power, then over-corrected into a completely untested and unstable reactor mode... then decided to proceed with the test instead of just shutting down.
** The operator errors were exacerbated by several design features that were clearly less then ideal. For example, the control rods were poorly designed -- in an emergency reactor shutdown or "scram", the control rods are dropped "en masse" to block neutron emissions and shut down the chain reaction. Because Chernobyl's control rods had graphite tips (the same material used to moderate the reaction in the first place), the scram caused a sudden power flare before damping the reaction. The Soviet Union was ''aware'' of the potential for power spikes, but previous spikes had always been brought under control and the problem never became a priority to fix. By the time the (unfortunately manually operated) scram button was finally pressed at Chernobyl, partial meltdown had already begun. When all of the graphite rod tips entered the chamber at once, the resulting power spike damaged the reactor vessel. The control rods broke off, leaving the reaction-boosting graphite tips lodged in the chamber and the actual control rods jammed and broken, at which point the reactor exploded. However, many other RBMK-design reactors were successfully operated, after modification, for many years after the catastrophe, suggesting that the design issues were not as big a factor in the disaster as human error.
* Britain's experimental Windscale nuclear reactor was simultaneously an example and an aversion of a Failsafe Failure. The reactor was constructed in order to give Britain parity with the United States in the nuclear arms race, but a combination of modifications to the reactor's operating procedures and incomplete understanding of graphite's response to nuclear bombardment resulted in situations where the reactor would periodically give off spikes of high heat, for which the original temperature monitoring equipment was woefully inadequate. It also lulled the operators into getting accustomed to seeing occasional high temperatures in the normal course of operation. Thus, when the reactor caught fire, it was at first thought nothing was wrong. It continued for three days at temperatures exceeding a thousand degrees centigrade whilst the temperature sensors - located away from the hotspots - reported normal operating conditions. The original design allowed for the uranium fuel cores to be pushed through their channels into a cooling bath, but by the time the fire had been discovered the cores were too hot to move. Not only had they become jammed by heat expansion, they were so hot that metal poles used to try and move them simply melted on contact. After several failed attempts to cool the reactor it was eventually brought under control by flooding the cores with water. However, the disaster could have had far more serious consequences. Windscale was air-cooled. Core temperature was kept under control with a series of fans, and the waste heat was exhausted into the air. On the suggestion of Nobel prize-winning nuclear pioneer Sir John Cockcroft the cooling towers were fitted with expensive, complex air filters, which were originally pooh-poohed on account of the work involved - the towers had already been constructed by the time Cockcroft found out about them, and the filters were large, heavy structures that had to be built on top of the towers. As it turned out, the filters prevented the direct release of red-hot nuclear particulates into the environment, although the release of radiation was nonetheless substantial. Ironically, before the accident, the filters were called "Cockcroft's Folly" - a name that didn't feel appropiate anymore after the accident.
* On the Boeing 747's first flight, the backup batteries that would have powered the hydraulics in case of engine failure failed upon takeoff. Doesn't sound like much until you find out that the newly introduced high bypass engines were very finicky and the engineers had little idea whether they would stall upon takeoff due to the change in the angle of attack in the air (these engines stalled very easily - at the time a tailwind could easily lead to a stall). Engine stall = no power = no hydraulics = no control over flight surfaces = guaranteed crash = 700,000lb bomb loaded with jet fuel. Thus, they strapped on some batteries to power said hydraulics, but the batteries failed. Fortunately the first flight went according to plan. Source: ''Wide-Body: The Triumph of the 747'' by Clive Irving.
* The tale of [[http://en.wikipedia.org/wiki/Gimli_glider The Gimli Glider]]. On July 22, 1983, a combination of underfueling Air Canada's brand new Boeing 767 and a faulty fuel level sensor led to its pilots not knowing they were low on fuel until they ran out - ''at 41,000 feet in midair''. To top it off, many of the instruments in the cockpit were electronic and designed to be powered by the jet's fuel - meaning that ''the pilots were flying blind and had no ability to control the aircraft''. Fortunately for all concerned, there were a few battery-powered backup systems and a nearby decommissioned landing strip (the former Royal Canadian Air Force Station Gimli), and Captain Pearson happened to be an experienced glider pilot. The Gimli Glider managed to land safely (though it blew out a few tires on the landing gear and skidded to a stop on its nose) with no fatalites and only minor injuries. The Gimli Glider was repaired and flew for 25 more years until it was decommissioned in 2008. One failsafe didn't fail: the 767's Ram Air Turbine, basically a small windmill emergency generator, deployed automatically and provided minimal power to the instruments until they finally lost too much airspeed before landing. That said, there were a few issues with the evacuation slides, which would actually be a minor example of this trope (the collapsed nosegear put the entire plane on an angle such that the rear evacuation slides didn't quite reach the ground, leading to some of the aforementioned minor injuries).
* This was an issue that arose with aircraft hydraulic systems in the 1980s. All planes had three separate hydraulic lines, specifically so that if one of them was breached, the other two would prevent a total loss of flight controls. However, this system relied on the plane having at least one intact hydraulic system; designers did not believe it was possible for all three lines to fail (at least not without a level of catastrophic damage to the aircraft that would render the issue moot anyway), so this appeared to be acceptable. That is, until two crashes in [[https://en.wikipedia.org/wiki/Japan_Airlines_Flight_123 1985]] and [[https://en.wikipedia.org/wiki/United_Airlines_Flight_232 1989]] proved that the system had a weakness: because all three lines clustered together at the tail, significant damage in that area could, in fact, breach all three hydraulic lines at once, such that two situations of potentially manageable failures (a bulkhead and an engine respectively) instead ended in catastrophic accidents with a combined death toll of 632 (and it's only thanks to some ''extremely'' skillful flying in the latter case that that number isn't even higher). Following the second accident, all aircraft were fitted with an ''additional'' backup system to account for what had previously been considered an impossible failure; now if the hydraulic lines are breached, a mechanism seals the line ahead of the breach to prevent a total loss of hydraulic fluid.
* On Aug. 18, 2003, Hitoshi Nikaidoh, a surgical resident at St. Joseph Cristus Hospital in Houston, Texas, was decapitated by an elevator with faulty door failsafes. The car was supposed to be "out of order", but some jerk removed the sign. Did anybody think to cut the elevator's power?
* Pressurized or liquid gas cylinders are nasty things if not treated nicely. There are [[http://pipeline.corante.com/archives/2006/03/08/how_not_to_do_it_liquid_nitrogen_tanks.php very good reasons]] why cylinders have pressure release valves and rupture disks, and why they shouldn't be diked out. As ''Series/MythBusters'' demonstrated, a gas cylinder can punch a nice, clean hole through a cinder block wall (they built one for the test). In the process, the ''wall was shoved back noticeably'' and the wall behind said cinder block wall was nearly punched through itself.
* In the design of the space shuttle ''Challenger'', the joints between booster rockets segments were sealed by two thin rubber o-rings, the second ring intended as a failsafe if the first ring failed to seal. The SRB design itself wasn't flawed; it worked fine -- so long as you maintained mission parameters, didn't try to launch on a day below the recommended operating temperature, and didn't reuse parts that were obviously deteriorating. The Morton-Thiokol engineers who designed the SRB knew this and objected to NASA and their own upper management overriding their recommendations. Thanks to near-freezing temperatures at the January 28, 1986 launch, ''both'' rings failed to seal and were vaporized. Then there was nothing to stop the rocket's flame from burning away one of the booster's support brackets, the unsecured booster smashing nose-first into the external fuel tank, and the fuel tank rupturing from aerodynamic forces when the insufficiently secured booster smashed its nose into the tank. Also, pressure suits and the cockpit ejector seats had been discarded after the first few missions since crews of seven couldn't be ejected during launch. In the two-deck orbiter design only the pilot and commander could have ejected, and possibly the two crew seated behind. Because they were a deck down, other passengers (in ''Challenger'''s case, including teacher-in-space Christa [=McAuliffe=]) would have died anyway. By contrast the earlier Apollo and Mercury launchers were both equipped with escape towers -- separate rocket systems that pull the crew capsule off of and away from a faulty booster rocket -- while the side-by-side Gemini design allowed for ejection. And there have been two different Cosmonaut crews saved from certain death by the escape towers launching their Soyuz capsules away from an exploding rocket.
** The O-rings weren't even designed to act as failsafes for the rocket boosters. It was discovered that the stress of ignition tended to bend the joints between two segments of the booster, however the O-rings, heated by the igniting rocket fuel inside, would expand enough to cover the holes. As it seemed to work just fine, the design wasn't changed. However being as the lauch site was in Florida, no one thought to take into account the extreme cold's effect on the rubber o-rings. In fact the Morton-Thiokol engineers specifically told NASA on the morning of the launch that they had no idea how the cold would effect the O-rings (as the launch had already been delayed several times, NASA put pressure on them to give the okay). So in a cascading series of improbable events, the joint bent under the stress of ignition while the O-rings, which had frozen overnight, failed to heat and expand fast enough to seal the gap and were instead vaporized.
** The Soviet ''Buran'' shuttle was launched some two years after the ''Challenger'' catastrophe, but included the ejection seats for the whole crew right from the start of the design process. In fact Soviet designers have long (and quite vocally) criticized the Space Shuttle cockpit layout, calling it a throwback to the WWII era bomber cockpits, and made a point of putting all crew seats on the same deck. Had the Shuttle used the same layout, at least several crewmembers could've possibly been saved.
* The crew of Soyuz 11 died from a leaking pressure valve during reentry. During descent, the explosive bolts which attached the service module to the descent module were fired simultaneously instead of sequentially. This damaged the pressure valve which was supposed to equalize pressure inside the module once they entered Earth's atmosphere, causing it to open while the module was still in space. There was a manual override for the valve, but it was located underneath the seats making it almost impossible to find in an emergency. Later a cosmonaut on the ground attempted to close the valve himself and found it took over a minute to do so, while the biometric sensors on one of the cosmonauts showed 40 seconds had elapsed between loss of pressure and death, in reality oxygen deprivation would have disabled the cosmonauts in far less time, approximately 15-20 seconds.
* Apollo 1 and ''Liberty Bell 7''. The latter case came first.
** After Virgil Grissom's Mercury capsule splashed down, the explosive bolts on the hatch (which were there for emergency egress purposes) went off, allowing water to rush into the tiny capsule and sink it. Grissom was very much in danger of drowning, as the crews of the recovery helicopters were trained ''too'' well and had to realize the capsule was a lost cause before finally realizing the astronaut was also having difficulty staying afloat and rescuing him. After losing a spacecraft, NASA decided explosive bolts were a bad idea, and did not incorporate them into subsequent designs, instead opting for doors which required much more deliberate effort to open. On the Apollo 1 spacecraft, the door opened inward, which, ironically, was a safety measure.[[note]]Pressure doors are supposed to open in the direction of positive pressure so that this pressure works ''with'' the door to keep it closed under normal conditions. Thus, airliner doors always open ''inward'' while submarine hatches always open ''outward''.[[/note]] While the crew of Apollo 1 was doing a test on the ground, a fire started in the capsule. The atmosphere inside was pure oxygen at greater than sea level pressure (in case you flunked chemistry, pure oxygen powers any flame), and NASA had also managed to put all kinds of flammable materials in the cockpit. As the fire rapidly grew, the pressure grew inside the cockpit, making it ''impossible'' for any human being to open the inward-opening door, which, due to the lack of explosive bolts, could not be blown open. Smoke and fire turned the cockpit into a fiery tomb from which there was no escape, and all three astronauts died. One of these astronauts was Virgil Grissom.
** The fact that the cabin was pressurized to about 2 atmospheres, to reflect net outward pressure the capsule would experience in space, was also a major contributory factor. It meant there was both far more oxygen available to accelerate the fire and that an inward opening door was simply physically impossible to open until the oxygen pressure was reduced. Just as there were no emergency bolts, there was also no means for depressurizing in time. There did exist a means for depressurizing rapidly, called the cabin repress valve, there was just no times to use it. According to the [[http://history.nasa.gov/SP-4029/Apollo_01c_Timeline.htm Apollo One Fire Timeline]], the crew noticed the fire (by verbal report) at 23:31:04.7. The Command Module ruptured due to pressure at 23:31:19.4, less than 15 seconds later. During the investigation, they determined that had the repress valve been opened, it would have delayed the rupture by about one second. Even if they could have instantly flushed the atmosphere, the interior surfaces had foam padding that was going to be removed prior to an actual launch protecting bulkheads and side panels from being scuffed and dinged during ground testing. After having been soaked in 2 atmosphere pure oxygen for 3+ hours, the foam would have burned like napalm in hard vacuum.
* A similar story happened in the Soviet program too, but wasn't really a case of the ''failsafe'' failure -- only the crew error. The cosmonaut on a week-long test in an oxygen chamber decided to brew himself some tea and turned on a hot plate. As he was scheduled to have some medical tests taken that day, he needed to clean and disinfect the electrodes' attachment points on his skin, which he did with an alcohol-soaked cotton swab, which he then proceeded to unthinkingly throw in the general direction of the garbage bin. Unfortunately the swab landed right onto the hot plate, and in a pure oxygen atmosphere of a chamber combusted immediately, starting a major fire. Due to the design of the chamber door it was opened only some 20 minutes later, when the cosmonaut in question, Valentin Bondarenko, already sustained third degree burns, from which he died a couple days later.
* The Apollo 13 Failsafe Failure was even more spectacular (the fact that NASA managed to bring the command module home with all three men alive is often considered NASA's SugarWiki/MomentOfAwesome). It was essentially a whole ''series'' of Failsafe Failures.
** The faulty oxygen tank on Apollo 13 was previously installed on Apollo 10, but was removed and sent back to the factory because of a design change. It was jarred during removal because someone forgot to remove a screw that was holding it in place, causing it to be pulled up a few inches and dropped by a machine arm. This knocked the drainage tube in the tank (which was also part of the electronic level gauge) out of alignment, which prevented the gauge from properly indicating when the tank was empty. The tank contained an electrical heating coil that could be turned on to heat the oxygen inside for use in flight, and a pair of fans that were used to stir the contents of the tank to get an accurate level reading in ballistic (''zero-g'') flight. During a test run, because the gauge wasn't working properly, technicians believed the tank wasn't draining so they turned the heater on. There were 2 thermostats on the heater which should have opened and broken the electrical circuit if it got too hot, but the tank circuits were designed to run on 28 volts, provided by the on-board fuel cells during flight. Since this was a ground test, the heater was powered by the ground support equipment which runs at 65 volts. The thermostats were rated for 30 volts maximum, and the too-high voltage welded the contacts shut. There was ''also'' a human watching an outside temperature gauge that registered the heat inside the tank, but the gauge was only designed to go up to 80 degrees Fahrenheit (which was about 200 degrees hotter than the sub-zero oxygen would be stored in). Since the needle never went above 80, he didn't realize the tank was getting up to 1,000 degrees inside, and as a result the insulation coating the electrical wires inside the tank melted... which left them vulnerable to short-circuit and sparking. Apollo 13 was launched on schedule with the faulty tank, and four days into the flight, they flipped on the stirring fans in the tank, the damaged wiring sparked and ignited the tattered remains of insulation, and fire inside the tank promptly exploded it.
** To make matters ''even worse'', the Apollo craft carried two oxygen tanks for extra safety, but they shared some plumbing, and when tank #2 exploded, it took several critical parts of tank #1's plumbing with it. Result: the oxygen in ''both'' tanks was soon lost, and the astronauts inside would have died in a few hours if they hadn't been carrying a healthy lunar module with its own oxygen supply.
** At least the nuclear fuel rod cask was fine. A miniature nuclear pile was built to power some instruments that were to be left permanently on the moon, but just in case the mission never got to the moon, a ceramic cask was built to contain the nuclear fuel, and it was designed to survive a fiery reentry to Earth... just in case. And survive it did.
*** The SNAP-27 carried on Apollo 13 (and Apollos 12, 14, 15, 16, and 17) was a Radioisotope Thermoelectric Generator, essentially an atomic battery, not a reactor (there's no chain reaction fission going on, that's the clue). It basically turns the heat of spontaneous radioactive decay into electricity via thermocouples. It is similar in design to the [=RTGs=] carried on Pioneer, Voyager, Cassini, and the New Horizons probes. They've also been used to power lighthouses, Antarctic science experiments, and anywhere you need a decade's reliable power source. It was probably one of the most reliable components flying on Apollo 13. Even if the cask had ruptured during reentry, the plutonium inside would have remained intact and ended up at the bottom of the same 20,000 ft. deep trench, doing absolutely no harm to anyone for the next 5,000 years.
* The Ariane 5 rocket's maiden flight: The navigation system had two redundant computers to handle hardware failure, but because a software error happened instead, both computers crashed simultaneously. The consequences theatened to break the rocket apart, but were successfully caught by ''another'' failsafe... [[SelfDestructMechanism the Range Safety system]].
* As shown on ''Series/MythBusters'': plugged safety valve on water heater + thermostat failure = [[SteamPunk steam-powered]] [[ThereIsNoKillLikeOverkill ballistic missile]]. As reported all over the news, one such incident occurred in a strip mall in Burien, WA on July 28, 2001.
** Part of the start up procedure for an industrial or commercial boiler (a water heater is technically considered a type of boiler) involves getting the pressure (steam) or temperature (water) high enough to make the safety valves lift. If they don't, you shut it down. The things that hold them closed are set to lift automatically at the maximum working pressure/temperature. Broken gauges and sensors can still result in one exploding during startup if the valves (which don't require power) are broken because it won't shut down automatically and the person doing the startup won't know that there is a problem until it is too late.
* The original DC-10 airliner cargo door fault that caused [[https://en.wikipedia.org/wiki/Turkish_Airlines_Flight_981 the crash of Turkish Airlines Flight 981]] in 1974. Firstly, the cargo door opened outwards, as opposed to inwards, in order to maximize cargo capacity. This meant that air pressure inside the plane would naturally try to force it open, requiring a complex set of locking hinges and pins to keep it closed. Secondly, the door handle was supposed to be impossible to close unless all the pins were safely latched, but in practice, if enough force was applied to the handle, the internal mechanisms would bend out of shape without latching. So, the door could still appear to be closed and locked even when it wasn't. Thirdly, warning placards to inform the ground crew of the potential problem were installed, but they were only in English[[note]]The label on the accident plane was printed in both English and Turkish, but the baggage handler who loaded the plane didn't speak either language.[[/note]], which most ground crews around the world couldn't read. And finally, when the door blew out, the pressure change collapsed the cabin floor and severed ''all'' of the aircraft's control lines, including the redundant backups, rendering the pilots helpless. Airliners have floor vents to prevent such a catastrophic failure, and the DC-10 ''DID'' have them -- they simply were too small and the pressure in the cabin and in the cargo compartment didn't equalize fast enough to prevent the floor from collapsing.
** And the reason that there were even warning placards in the first place? In 1972 there was a American Airlines flight that had the exact same problem, but that one got a small but significant lucky break: not all of the control lines were severed, so the pilots retained some level of control and managed to land the plane with no loss of life. [[note]]The American Airlines DC-10 was lightly loaded when the blowout happened, so the cabin floor only suffered a partial collapse.[[/note]] Because the only way that the FAA could force [=McDonnell=] Douglas to fix the planes was to ground them all and not let them fly until the defect was corrected, there was a gentlemen's agreement between the head of the FAA and [=McDonnell=] Douglas to put in this "failsafe" rather than fix the fundamental issue.
* Modern UsefulNotes/FormulaOne cars have anti-stall systems in the engine management computer. These are very useful as long as they don't go off accidentally on the starting grid and put the car into neutral when it ideally should be in first. This is more embarrassing than dangerous though.
** The system is capable of forcing the car to continue moving when the driver attempts to stop. This caused test driver María de Villota to crash into a stationary truck, suffering serious injuries that may have led to her death 18 months later.
* HMS ''Ark Royal'' sank after being hit by a torpedo that, among other things, caused flooding that shut down the boiler which powered the emergency pumps and ''all'' the electrical generators, the ship having been built without dedicated emergency generators separate from the main system. Oops. (Poorly engineered and inadequate electrical systems were a "feature" of all Royal Navy ships of the period because their urgent need to rearm arose right when the Great Depression was making R&D funds hard to come by.)
** USS ''Enterprise'' (the fifth one, CV-6) had a steering engine breakdown in the middle of one of the carrier battles for Guadalcanal, jamming the rudder into a hard turn. Fortunately the crew had rigged an emergency steering engine in case this very thing happened. Unfortunately, everyone in the compartment with the backup was knocked out by toxic gas released from nearby fires. It took nearly thirty minutes for someone to reach the compartment, and before he could turn on the backup motor he passed out as well; fortunately he came to fifteen minutes later and managed to turn on the backup motor. While all this was going on, another Japanese air raid was detected approaching but turned away fifty miles out.
** The Japanese carriers at Midway had their emergency generators for the firefighting system just off the upper hanger deck, about at the midships line. This placed them on the same deck where any bomb that struck the carrier would probably explode, at about the spot enemy pilots would use as aiming point. At least two of them probably lost the backup generators to shrapnel from exploding bombs.
** Similarly, the British Navy during UsefulNotes/WorldWarI had one of the safest and most efficient systems of transferring explosives from turrets to magazines. Unfortunately, [[GeneralRipper Admiral David Beatty]] of the Battle Cruiser Fleet thought that they weren't efficient enough, and so decided not to use them, unlike his superior and commander of the Grand Fleet Admiral Jellicoe. The result? At the Battle of Jutland, both the battlecruisers of the Battle Cruiser Fleet and the dreadnoughts of the Grand Fleet sustained similar hits. But while the dreadnoughts stood up beautifully, firing back and damaging several of their German counterparts so badly that they were effectively forced out the war, three battlecruisers exploded in as many minutes.
* {{Inver|tedTrope}}sion: Electrical codes require failsafe protection (fuses or circuit breakers, for example) to be on all circuits, to stop the current flow in the circuit when the wire gets hot enough to possibly catch on fire. Aspiring electricians will have the failsafe rules for preventing electrical fires hammered into their heads repeatedly (electrical fires being as much as if not more of a danger than electrical shock). So it is jarring at first, to learn that circuits for fire pumps MUST NOT have any fuses or circuit breakers of any kind. Why? If the fire pump is running, it is assumed there is already a fire, and a fuse or breaker breaking the circuit (and shutting off the pump) isn't going to improve the situation.
** Probably applicable only to the American grids, which have a peculiar system where the neutral wire is isolated from the ground. European grids have the neutral grounded, so short circuits do not usually propagate for a large distance, making this requirement somewhat irrelevant.
*** One result of this is that some American three-phase electrical outlets have up to '''five''' electrical contacts, one for each of the three alternating-current phases, one for the un-grounded neutral wire, and one for the ground-wire.
** The grounding wire is a fail safe that's connected usually to the chassis of the object in the event that short circuits dump to it and not across your hand or anything contacting it. However, you can "disable it" by getting a three-prong to two-prong adapter (ironically the two-prong adapter has a tab so you can connect a grounding wire to it... but nobody does anyway).
** Zinsco brand circuit breakers, installed in countless homes from the 1950s to the 1980s, were infamous for [[ItWontTurnOff spontaneously arc-welding themselves into the "on" position]], leading to thermal runaway and structural fire in the event of an overload or short. Federal Pacific Electric breakers were similarly [[NoOSHACompliance non-UL-compliant]] and could randomly fail to trip after years of seemingly smooth operation.
* One of the main causes of the Three Mile Island nuclear accident was a pressure relief valve sticking open. At first the dangerous pressure is relieved -- and then the coolant keeps escaping through the stuck-open valve.
** Which the operators would've noticed, if the indicator light had been connected to the valve itself rather than the switch that controlled the valve.
** Adding to the problems there, the plant was being operated with several alarm lights permanently locked on due to some type of failure in the system causing the alarms to read false, and instead of fixing the issue, they just ignored them. So when the things which those alarms were supposed to be monitoring actually reached the alarm point... no-one knew.
** Ironically, the manager on duty at the time of the accident had gone to see a movie the night before... ''The China Syndrome'', which is about safety coverups at a nuclear power plant, complete with a near-meltdown situation.
** Another problem was the control room was equipped with more than 120 separate dials, alarms, and gauges, making it very difficult to isolate the root cause when the accident triggered virtually all of them at once.
* The SL-1 reactor, site of the only fatality directly caused by a nuclear incident in the US. It was built for and run by the US Army as a prototype for a small, semi-portable reactor to power mobile command centers. A technician was performing a maintenance test on it while it was shut down. Said test required him to manually elevate the reactor's only control rod a few inches. He raised it up almost 2 feet. The reactor became instantly active and went prompt critical[[note]]Despite what HollywoodScience says, a reactor GoingCritical is ''not'' a bad thing. All it means is that the reaction is self-sustaining, i.e., it's turned on. '''Prompt''' critical, on the other hand, means you're screwed before you even have time to say "OhCrap."[[/note]], the sudden power spike caused the water in the reactor to superheat and flash to steam, and the pressure surge ejected the control rod, which [[ImpaledWithExtremePrejudice impaled the technician on the roof of the compartment]]. Luckily the other failsafes that weren't violated/ignored to do this kicked in and shut down the reactor, but not before the other two people at the site were killed by the explosion -- while also receiving enough radiation to require all three to be buried in lead-lined coffins entombed in cement.
* The Deepwater Horizon oil spill in the Gulf of Mexico occurred because the blowout preventer, a supposedly idiot-proof device that seals the pipe in the event of something like, say, a rig explosion, failed. It turns out that the device had been tampered with (one of the rams that would have sealed the pipe was taken out to make room for some kind of monitoring equipment, amongst other things) but it's still a great example.
** It gets better. That was the ''backup'' device. Someone noticed a problem with the primary during some tests, hence Transocean fitted the monitoring kit and said "Oh, don't worry, the backup will take care of it." Predictably, when it was called upon, the backup failed.
** BP's safety record is one of the worst in that regard, in that disabling the failsafes and monitors to increase productivity seems to be SOP for the company. For example, the earlier Texas City Refinery Explosion occurred partly because someone disabled an overflow alarm, which, when the other one broke, started a chain reaction that killed 17 people.
*** [=TransOcean=] has an even worse safety record, actually citing the year of the spill as their ''best year ever'' and their least number of accidents.
* The [[http://en.wikipedia.org/wiki/1993_Big_Bayou_Canot_train_wreck Big Bayou Canot train wreck of 1993]] happened because a barge struck a railroad bridge hard enough to distort and displace the tracks, but not hard enough to actually break them, which would have set off warning signals and stopped the train.
* Cancer is an example of a failsafe failure of a failsafe failure of a failsafe failure of a failsafe failure. Precancerous cells are a normal occurrence in the human body due to imperfections in DNA replication. Fortunately human cells have proliferation control mechanisms, though failures in these systems can cause inappropriate cell division. On top of this, cells have other control mechanisms such as cell contact signals that stop cell division, cell survival signals, immuno-detection of cancerous cells, telomeres limiting the number of cell replications. These other failsafes are overcome by natural selection and the law of large numbers though, further compounding mutations during DNA replication in subsequent generations of the cell line.
* Alzheimer's, meanwhile, is to some extent a problem because the failsafe works too well: the brain is equipped with so many tiers of redundancies and backups that it can suffer a huge amount of neural degradation before the person's everyday performance is noticeably affected by it - but this means that by the time the symptoms are obvious, it's because everything that the brain can do to try preventing Alzheimer's from happening already ''has'' been done and the battle is mostly lost. In practice this is less of an issue because, at least for now, even if Alzheimer's is caught early, there's very little that can be done to alter the outcome or even slow the progression.
* The fantastically elaborate design of the Stuxnet worm managed to override every safety system used to ensure that the gas centrifuges at the Natanz nuclear facility couldn't malfunction. The whole system, from the Windows operating system of the controlling workstation to the SCADA PLD controlling the speed of the centrifuges was essentially taken over by the worm. The worm even managed to make the SCADA system "lie" to the computer connected to it by playing back the data from a normal run, à la Speed, as the PLD caused the centrifuges to spin out of control. This was caused deliberately of course, but it shows that human ingenuity, as well as human stupidity, can override failsafe systems.
* The failsafes in the Fukushima Daiichi (Fukushima I, that's a Roman numeral one) nuclear power plant worked as intended after the 11 March 2011 earthquake in Japan, safely stopping all three of its working reactors. But then the tsunami came and washed out all the emergency diesel generators poorly placed right at the shore, and the plant's connection to the grid was severed by the quake. So the plant lost cooling at all of its six reactors, which led to the successive meltdowns of at least three of them.
** What happened to the diesel generators is known as a "common mode failure" in engineering circles, and it's one of the hardest hazards to anticipate and prepare for.
*** The proposed Molten Salt Reactor design uses fuel that has to be in a melted state for the reactor to work, and keeps the core from draining by constantly cooling a flattened section of pipe to keep a plug of salt frozen so that if power to the reactor's building is lost, the plug of salt melts and the fuel-salt drains into a passively-cooled drain-tank that's configured to prevent nuclear fission from happening, averting this trope in the simplest possible way: powering the safety system entirely by the force of '''gravity'''.
** Even that might have been dealt with because of another safety measure designed in: the reactor power system had the capability of getting electricity from truck-mounted mobile generators, which were, in fact, on scene within a few hours. Only problem was that no one had verified that the generators and the power system they were supposed to supply emergency power for had compatible attachments for the power cables.
* The Russian submarine ''Kursk'' sank due to one such design flaw: a faulty torpedo was able to leak hydrogen peroxide, which proceeded to react with the torpedo ''casing'', causing the first explosion which then set off the fuel and munitions in the torpedo bay. There are arguably several flaws in the design that let this happen (starting with explosions ideally not being the immediate consequence of a ''leaky pipe'').
** Even this would not have been a problem had there not been a ventilation duct through the bulkhead. The bulkhead itself was strong enough to contain the explosion of the first torpedo (which itself had not had its welds tested since it was only a dud and thus had no warhead), but the vent was not, and thus allowed the blast to get through, and incapacitate everyone in the command room in the second compartment. The torpedo tube door itself should also have contained the blast, but it was a common issue that the doors often required several tries to properly close due to bad contacts. Finally the emergency buoy which should have automatically released in the event of a catastrophic failure was disabled after concerns during a previous mission in the Mediterranean that it would trigger accidentally and give away the submarine's position.
** Almost exactly the same accident befell HMS ''Sidon'' in 1955 (except that the rest of the crew were able to evacuate), and resulted in the British Navy dropping that torpedo design several decades earlier. Russia was basically either lucky or unlucky enough (depending on your point of view) to avoid similar incidents during the 20th century.
* The power outage during [[UsefulNotes/SuperBowl Super Bowl XLVII]] was ironically caused by the failsafe ''itself''. A power relay, which was supposed to activate and relay power from another source in case of an outage, activated when it wasn't supposed to, causing a partial blackout in the stadium.
* Stories like these are generally mass circulated in maintenance circles as a reminder for safety and reason for preemptive inspection. Always verify the numerous safety pins and indicators in an ejector seat before even touching it... because a system capable of sending a grown man eighty feet in the air in under two seconds doesn't leave much behind if the aircraft is inside a hanger with a forty-foot ceiling. Overpressurizing an aircraft system has caused an aircraft to crack in half. Altering the bell mouth of a fuel manifold so it doesn't knock against a back nut for a fuselage panel... that was preventing it from forming a vacuum seal and caving in the manifold.
* sudo (in POSIX style operating systems) and UAC (in Windows) is a failsafe, sort of, to make the user aware that whatever they're going to do may have an impact on the system. When used, most programs that try to do an action that will cause system changes will trigger this. Bypassing it, by either running as root or disabling UAC (or even [[https://blogs.msdn.microsoft.com/oldnewthing/20160816-00/?p=94105 leaving the latter at its default "recommended" setting]]), will allow a program to do whatever it wants.
** Similarly Android has on its security options[[note]]From Android 8 ("Oreo") onwards, it is in the permissions of apps as some file browsers instead[[/note]] a checkbox to allow to install app packages bypassing the Google Playstore. It's deactivated by default and if you check it, it will warn you of possible damages- so have fun if that apk file that supposedly had a game contains also something much nastier.
* An example of a double failsafe failure. After several tragic mid-air collisions (most notably over India in November 1996, claiming 349 lives) a system was introduced to prevent such collisions from happening: all airliners were equipped with TCAS (Traffic and Collision Avoidance System), detecting other aircraft on a collision course and telling the crew if they should climb or descend to avoid a crash. Then, in January 2001, two Japan Airlines aircraft with a total of 677 lives onboard nearly collided over Suruga Bay, even though both of them were equipped with properly working TCAS - because at the same time, one of the crews received commands from the ATC controller to avoid a collision, and those ATC commands were contradictory with the TCAS commands, and that plane followed ATC and disregarded TCAS, while the other plane did not receive ATC instructions and therefore followed TCAS; it was only thanks to one pilot's quick judgment and subsequent implementation of evasive action that a collision was averted, and the two aircraft still missed each other by just 35 feet (11 metres). The Japanese investigation commission asked the ICAO (International Civil Aviation Organization) to establish a clear set of rules whose commands have a priority in such situation. For some reason though, the ICAO ignored the pleas and seventeen months later, two aircraft collided over southern Germany for exactly the same reasons, killing 70. Only then were the TCAS commands were given absolute priority.
* Over the course of WWII, the Germans attempted to add failsafes to the bombs they dropped on England in order to create more and more complicated WireDilemma situations that would hopefully kill British bomb disposal technicians. Occasional instances of this trope allowed the British to safely disassemble the new bomb types and figure out how the failsafes worked and from there how to disarm the bombs when they weren't broken. Of course, [[InvertedTrope in this case]], the feature that failed was a fail-''deadly'', the failure of which caused the bomb to fail-safe, which is to say [[WheresTheKaboom the bomb didn't work.]]
* Probably the worst known roller coaster incident in history occurred on the Battersea Funfair Big Dipper on 30 May 1972. The lift chain malfunctioned, followed by the anti-rollback mechanism, and the train rolled back to the station and collided with the other train. Five children died and another 13 were injured. The park struggled on for another 16 months, before closing at the end of the 1974 season.
* The Smiler roller coaster at Alton Towers​ suffered a bad incident (although not as bad as the Battersea incident) on 2 June 2015; the operator, following standard procedure, sent a test train around the track, but assumed that it had completed the circuit instead of checking that it had. He then sent a passenger train, and the ride safety systems detected the impending collision and shut down the ride -- and the operator assumed that this was a malfunction in the safety systems, and manually restarted the ride without doing any further checking, probably using a key he wasn't supposed to have.
* Class D cargo holds were designed to be airtight in order to starve cargo fires of oxygen, preventing them from bringing down a plane; they didn't even have fire detection equipment because it was assumed the only issue they'd cause was ruined cargo. However, in the case of [=ValuJet=] Flight 592, the fire was caused by [[NoOSHACompliance incorrectly declared, unsafely packaged oxygen generators]][[note]]The generators, which were made to provide oxygen to aircraft passengers in the event of depressurization, came from three other [=ValuJet=] planes. Because the generators were expired (meaning they were no longer fit for service), the ground crews assumed they could no longer produce oxygen and took no measures to prevent them from activating. Furthermore, some idiot labelled them as "Oxy Cannister - EMPTY", misleading people who might have known better into thinking these were something other than cans of hazardous chemicals.[[/note]], resulting in a self-sustaining inferno that brought the DC-9 down within minutes, killing all 110 occupants. Class D holds were unsurprisingly discontinued and converted to Class C or E after the accident because the FAA realised how useless hoping a cargo fire would peter out mid-flight was, especially since the pilots of Flight 592 were only alerted to the fire by a MassOhCrap in the cabin due to the lack of fire detection equipment.
* [[https://en.wikipedia.org/wiki/Automatic_activation_device Automatic activation devices]] are lifesaving devices in skydiving, and they are intended to automatically deploy the reserve parachute if the main has failed or is not opened and flying at certain altitude. They have saved hundreds of lives, but sometimes they can fail disastrously. As they register the air pressure changes and acceleration, they can sometimes fire unintentionally if the skydiver tries something daring at very low altitudes, resulting in both main and reserve canopies flying simultaneously. There are three possible malfunctions at this point: ''biplane'', where the canopies are one above each other, ''side-by-side'' where the canopies are aside each other and ''downplane'' where they are ''vertically'' aside each other, creating no lift. Biplane and side-by-side are mere nasty nuisances, but the downplane malfunction is likely to be fatal unless the skydiver a) has enough altitude and b) manages to perform immediately main cutaway. And pray...
* This is believed to have contributed to the [[https://en.wikipedia.org/wiki/Hinton_train_collision Hinton train collision]] in Canada in 1986. A CN freight train ran a red signal and collided head-on with a passenger train, killing 23 people, including the crew in the engine. While the lead locomotive was equipped with a "dead man's pedal," the subsequent investigation found that it was common practice for CN crew to keep the pedal depressed with a heavy object so they didn't need to keep their feet on it. The engineer was found to have a number of health problems that put him at high risk for a heart attack or stroke. It also didn't help that the crew was also suffering from a severe lack of sleep due to the shifting train schedules. One possible explanation is that the engineer was incapacitated and with [[DeadFootLeadfoot the dead man's pedal depressed, the train kept running when it should have stopped]]. Ironically, the second engine had a newer reset safety control that didn't require engineers to keep their feet on the pedal, but it wasn't used because [[SkewedPriorities the cab wasn't as comfortable]]. After the accident, the railroad industry moved toward these safer controls.
* Modern internal combustion engines with multi-gear transmissions have at least two failsafes to protect the engine, transmission and/or drivetrain from catastrophic overspeed failures. The first is a governer that automatically shuts off the fuel flow at or slightly above redline. The second is a set of interlocks in the transmission meant to prevent gear changes from placing the engine, transmission, and/or drivetrain into a state that will either severely damage or destroy any part of them. These are not new technologies. The former has been around since the 1940s (early gas turbines had them) and maybe even earlier. The latter was a standard feature of mid-80s Honda 5-speed manual transmissions (5th to reverse wasn't possible without stopping at neutral along the way). If both fail you probably just totaled your car.
* The [[https://en.wikipedia.org/wiki/Buncefield_fire Hertfordshire Oil Storage Terminal fire]] in 2005 is believed to have been caused by a gauge malfunctioning, preventing the computer controlling the pumps from realising that a tank was full to overflowing and allowing petrol to pour out through the ventilators in the roof (another failsafe, ironically, designed to allow fuel vapour to disperse safely) until it found a source of ignition. This leak might have been noticed before it became disastrous if the failure hadn't occurred at 6AM on a Sunday, when there was only a skeleton crew on site, although the timing also meant that nobody was in several nearby industrial and office buildings that were trashed when the first explosion occurred. Either way, the end result was a fire that took three-quarters of the Hertfordshire county fire brigade two days to bring under control, property damage in the hundreds of millions and [[EverybodyLives no fatalities.]]
* Qantas Flight 72 is probably the ultimate example of a failsafe failure, where the failsafe didn't just contribute to or fail to prevent a disaster, but single-handedly caused one. A single line of corrupted code caused the plane's computer to erroneously believe the plane was flying at an incredibly high angle and therefore in danger of stalling, triggering two different failsafes (one related to angle, the other to stall prevention), which brought the plane's nose down ten degrees between them. However, the plane was in reality flying level, so the ten-degree pitch-down sent the plane into a dangerous dive. Fortunately, the pilots were able to regain control before the plane crashed, but the sudden change in gravitational force meant that anything and anyone that wasn't strapped down or similarly restrained was thrown around, which resulted in dozens of injuries.
* Flaws in anti-stalling software were determined to be the cause of the 737 MAX crashes in early 2019; a glitch while the planes were taking off would record the plane as stalling and force a correction, which the crew would try to re-correct causing a back and forth struggle that ultimately caused the planes to spiral out of control and crash. To make matters worse, there was indication that Boeing knew of the faulty software but [[ChristmasRushed pushed the MAX out anyway]], getting them in further hot water when the plane was grounded for the rest of the year.
* A RAID system with multiple hard drives is supposed to guard against hard drive failures by using redundant copies of the data across the drives, but if all them are purchased from the same manufacturer that happens to have a bad batch, they can all fail simultaneously. This happened to Website/ThisVeryWiki in 2020.
** Also played straight if RAID 1 (all drives stores a copy of the data) is naively used as a data backup solution. The thought is since RAID 1 makes another copy, and one of the pillars of having a data backup solution is multiple copies of that data, RAID 1 fulfills this role. Except the purpose of doing data backups is to be able to ''roll back'' to a certain point in time. RAID 1 does not fulfill this requirement if you delete a file you actually need later or if ransomware encrypts the data (said encryption will happily carry over to all copies).
* Backups can be a lifesaver in case of drive failure, but if the backup media is bad or automatic backups are failing without the I.T. department knowing, in case of data loss, it's game over when the backup can't be restored. Or you fail to make offsite backups and your office space burns down or a pipe breaks over your data center.
* Helios Airways flight 522, which depressurized and became a ghost plane because the Boeing 737’s pressure system was switched from automatic to manual so the ground crew could check out a potential problem and the mechanics failed to change the setting back to automatic afterwards. The pilots subsequently overlooked the incorrect setting three times during checklists. The other failure was the low cabin pressure alarm; it sounded just like the takeoff configuration alarm, which can only sound on the ground, so the pilots assumed there was a glitch. The ground controller asked about the pressure switch, but hypoxia had set in too quickly and the pilots were already too impaired to check it. The plane later ran out of fuel and crashed.
* Exaggerated in the case of an incident that took a chunk of the Internet down for most of a day in April 2021. A very large server farm owned by hosting provider [=WebNX=] suffered a power failure, causing the onsite backup generators to automatically kick in... but, for reasons that have yet to be determined at time of writing, [[https://www.theregister.com/2021/04/06/webnx_data_fire/ one of them suffered a truly spectacular mechanical failure and set itself on fire.]]
* The fire in 1980 at the MGM Grand in Las Vegas. The fire took out the automatic fire alarm that would have warned guests of the fire. The back up system for the fire alarm was the public address system as well as the phone system that could be used to call guests in their room. However, the smoke from the fire made going to the room where those things could be control from impossible.
* Modern computer hardware and software typically has something to handle things that result in an error. For example, if you attempt to divided by zero, the CPU will raise a fault condition. The software is then supposed to handle this. However, this calls a software routine which, depending on how it was coded, can cause another fault (a double fault). But ''this'' is also dependent on there being a valid software routine, so if ''that'' runs into another fault, the CPU just goes "screw it" and resets the entire system.
* Lots of [[Website/{{Reddit}} r/[=TalesFromTechSupport=]]] stories involve this trope, usually the result of [[PointyHairedBoss idiotic]] [[BadBoss or awful management]], incompetent/lazy contractors, or other assorted morons not properly investing in or using fail-safes for data, servers, etc. Inevitably things go south and the failsafes fail (or worse), and quite often this teaches management the value of backups and failsafes (that, or they continue to ignore it anyway).
* The [[https://en.wikipedia.org/wiki/Grenfell_Tower_fire Grenfell Tower fire]] was a result of one part this trope to one part CuttingCorners. Normally, when a fire breaks out in similar tower blocks, the fire service advises residents to shelter in place rather than evacuate: The dividing walls and floors between individual apartments are concrete and all main doors are made of flame-retardant material rated for at least thirty minutes before burning through, more than enough time for fire crews to arrive and bring it under control, and this is generally considered safer than trying to get hundreds of people down the stairs to the ground floor all at once. However, what was not anticipated by local fire codes was that when the building was covered in aluminium siding containing thermal insulation material during a full refurbishment some years earlier, the owners and their contractors settled upon the ''non'' fire-resistant insulation because it was slightly cheaper and [[AintNoRule the building codes didn't explicitly forbid doing so.]] The upshot of that being that when the heat-exchanger at the back of someone's refrigerator overheated and caught fire, the flames spread to the cladding through an open window and began to engulf the entire building faster than the firefighters on scene could contain it.
* All three Cajon Pass runaways are prime examples of this, and all of them were preventable disasters.
** [[https://en.wikipedia.org/wiki/San_Bernardino_train_disaster The 1989 Cajon Pass Runaway]], (better known as the San Bernardino train disaster) was caused by two critical factors. The primary one was rather more on human error, but has some nods to it; clerks at Southern Pacific's Mojave Yard underestimated the weight of the cargo, [[https://en.wikipedia.org/wiki/Trona trona]], when the BOL shipping documents that was turned in from the shipper's superintendent did not include a weight for all 69 hopper cars of the train. Normally the Bill of Lading would indicate the weight and the number of the rail cars used that's acceptable for a railroad to ship the loaded rail cars to it's destination. This was not the case with the weight information, as one of the shipping clerks estimated the cargo's weight to be around 4000 tons in total when it was actually 6900 tons after the assistance chief dispacher in the Los Angeles office found the corrent measurement from SP's computer system. Combine that with the light (empty) weight of the hopper cars (2100 tons) and you get a 9000 ton juggernaut. The second factor on the other hand definitely falls under this. Dynamic brakes uses the kinetic energy of a train's turning wheels to create a electrical energy that reverse the magnetic field created by the engine's main generator, and thus reducing the train's speed. However, of the 6 locomotives involved, only 2 had fully operational dynamic brakes. One had limited dynamics and the other 3 didn't work at all, including one of the two helper units added to the rear-end of the train. This was a startling discovery that the head-end engineer doesn't have near the braking power he thought he does, but one more secret was revealed; when the helper engineer pulled the emergency brakes, it cut out all the braking action of the dynamic brakes. At that time it was a safety feature to keep the wheels from locking and sliding off the tracks. In this case though, with the fully operational air brakes melting away from the intense heat, the dynamic brakes were the only thing holding the train back. Without them, the train took off and exceeded up to 110 mph before crashing at a curve into a small residential area at Duffy Street in San Bernardino, killing 4 people. After the derailment, Southern Pacific changed their rules so that every train without a specified weight was assumed to be carrying its maximum allowable load. Southern Pacific was bought out by Union Pacific in 1996 seven years after. Today, Union Pacific still runs trains over the rails where the disaster happened.
*** The pipeline rupture that followed 13 days later that took 2 more people and caused more property damage didn't have to happen either. When removing and examining the piece of pipe that burst after the fire was put out, Investigators from the NTSB found gashes of the pipe. Some possible suspects where believed to be some of the equipment used [[note]]most likely several front-end loaders and a large backhoe[[/note]] in the cleanup of the derailment and were near where the pipe was located, which was carefully marked with stakes, but the damage went unnoticed. The damage was believed to be done either the removal of the wreckage or the clean up of the spilled cargo. Not to mention, the company who operated the pipeline rushed their inspection after the train was removed because supposedly they were under pressure to get the gas moving again to it's final destination. It was also revealed that the safety values meant to stop the pipe running from a detected rupture or a leak were not repaired and failed to trigger when the pipe open up. Overall, two separate but related disasters rocked the town of San Bernardino and showed the need of new safety measures.
** The 1994 Cajon Pass Runaway: An Atchison Topeka and Santa Fe intermodal train lost control while descending the steep grade and rear-ended a halted Union Pacific coal train, costing over $4 million of damage and leaving 2 train-crewmen injured. Investigators from the NTSB found that the train's air brakes failed to trigger due to a blockage in the air line. An examination showed that the air brakes of the 4 Santa Fe locomotives involved and the first 3 cars only worked at the time and showed signs of being overheated, whereas the rest of the train's air brakes did not trigger at all. A number of tests indicate that the first set of cars were working, although some had showed soft application. From Car 9 and Car 12, the air brakes became much less effective until somewhere at the middle and for the rest of the train, the air pressure could no longer hold up and the brakes became irresponsive at all. It is very likely that while descending down the pass, the slack action bunged the train couplers and the draft gear together, bending the air hose and pinching off the air plow from the engines to the rear of the train, making the train's air brakes to trigger impossible. Although the dynamic brakes and the emergency brakes were working on the Santa Fe units, it was all but inevitable to slow the train down without the air brakes.
** The 1996 Cajon Pass Runaway involving another ATSF freight train was the same reason why the previous one occurred 14 months ago, a kink in the air hose that triggers the air brakes. A train's air brakes activate when the air pressure drops instead of increasing. To keep the brakes off, air pressure should be charged to 90 PSI, whereas 0 means emergency. The PSI meter on the lead unit however was showing ''only'' 81 PSI, not even enough to activate the air brakes. It was suspected that the 16th car, ATSF 90033, was the contributing factor of the blockage due to improper repairs of the air hose and was added before the train left. However considering how far back the car was, it likely had little to no impact on the train. The 5th car, SFLC 10005, was within the effected position of the kink after being identified by a simulation of the crash. However the derailment and subsequent fire prevented investigators from close examinations of the car and other cars that could be also with the effective position of the kink. Despite this, the NTSB concluded that somewhere between Cars 5-9, an air hose kinked and cut off the train's brakes, which resulted in $9.4 million in damage, and the death of 2 of the 3 crew members.
[[/folder]]

* Britain's experimental Windscale nuclear reactor was simultaneously an example and an aversion of a Failsafe Failure. The reactor was constructed in order to give Britain parity with the United States in the nuclear arms race, but a combination of modifications to the reactor's operating procedures and incomplete understanding of graphite's response to nuclear bombardment resulted in situations where the reactor would periodically give off spikes of high heat, for which the original temperature monitoring equipment was woefully inadequate. It also lulled the operators into getting accustomed to seeing occasional high temperatures in the normal course of operation. Thus, when the reactor caught fire, it was at first thought nothing was wrong. It continued for three days at temperatures exceeding a thousand degrees centigrade whilst the temperature sensors - located away from the hotspots - reported normal operating conditions. The original design allowed for the uranium fuel cores to be pushed through their channels into a cooling bath, but by the time the fire had been discovered the cores were too hot to move. Not only had they become jammed by heat expansion, they were so hot that metal poles used to try and move them simply melted on contact. After several failed attempts to cool the reactor it was eventually brought under control by flooding the cores with water. However, the disaster could have had far more serious consequences. Windscale was air-cooled. Core temperature was kept under control with a series of fans, and the waste heat was exhausted into the air. On the suggestion of Nobel prize-winning nuclear pioneer Sir John Cockcroft the cooling towers were fitted with expensive, complex air filters, which were originally pooh-poohed on account of the work involved - the towers had already been constructed by the time Cockroft found out about them, and the filters were large, heavy structures that had to be built on top of the towers. As it turned out, the filters prevented the direct release of red-hot nuclear particulates into the environment, although the release of radiation was nonetheless substantial.

* ''WesternAnimation/StarTrekLowerDecks'': In "[[Recap/StarTrekLowerDecksS1E06TerminalProvocations Terminal Provocations]]", a power core overload causes a HolodeckMalfunction. The holograms continue to work fine, but the safety are turned off and allow the AI to go on a murderous rampage while preventing the program from being shut off.

* In the notorious Creator/IrwinAllen disaster flop ''Film/TheSwarm'' (1978), the killer bees attack a nuclear power station, and cause it to blow up almost instantly when one of the technicians falls across a random instrument panel. Also the actual core is [[ArtisticLicenseNuclearPhysics completely exposed to the air without any evident shielding]].

*** It ''still'' gets even better -- there has been a rumor that the alarm was turned off so false alarms wouldn't wake people up. No wonder 11 people died.

** Which is the reason why any reactor is not in any way connected to the outside world other than maybe a simple telephone (which is a separate entity as well to be extra sure).
** All thanks to USB drives and the unknown genius at Microsoft who thought "let's allow plug and play media to run programs as soon as they're inserted without the user knowing" that's not a problem.
*** While that was a dumb design flaw in Windows (since fixed), ask yourself why computers in that sensitive facility even ''had'' USB ports? The ports should have been plugged, or otherwise physically disconnected... except those ports were needed to accept the PLC program code which was then transferred to the SCADA units themselves. The SCADA units were physically airgapped ''but'' needed a way to receive programming. The worm tampered with the PLC code on the Windows computer before it was sent to the USB drives and from there to the SCADA units. Thus Stuxnet becomes one of the rarest types of malware: able to use Sneakernet to ''jump an air gap''.
** The Stuxnet worm is a bit of a special case, as it was not only designed to cause the system to fail but, well, [[SuspiciouslySpecificDenial TV Tropes is not necessarily saying it was designed with the help of the company who built the centrifuges...]]

** The fact that the cabin was pressurized to about 2 atmospheres, to reflect net outward pressure the capsule would experience in space, was also a major contributory factor. It meant there was both far more oxygen available to accelerate the fire and that an inward opening door was simply physically impossible to open until the oxygen pressure was reduced. Just as there were no emergency bolts, there was also no means for depressurizing in time. There did exist a means for depressurizing rapidly, called the cabin repress valve, there was just no times to use it. According to the [[http://history.nasa.gov/SP-4029/Apollo_01c_Timeline.htm Apollo One Fire Timeline]], the crew noticed the fire (by verbal report) at 23:31:04.7. The Command Module ruptured due to pressure at 23:31:19.4, less than 15 seconds later. During the investigation, they determined that had the repress valve been opened, it would have delayed the rupture by about one second. Even if they could have instantly flushed the atmosphere, the interior surfaces had foam padding that was going to be removed prior to an actual launch protecting bulkheads and side panels from being scuffed and dinged during ground testing. After having been soak in 2 atmosphere pure oxygen for 3+ hours, the foam would have burned like napalm in hard vacuum.

** In ''Film/{{Moonraker}}'', a mook tries to kill Bond by disabling the chicken switch on a centrifuge and cranking the spin rate to unsafe levels. Not so much Failsafe Failure as intentional tampering, but why would a piece of equipment designed to test human endurance have the wires to the safety switch connected to a plug easily removable by the controller, and why would it go up to speeds considered dangerously unsafe for humans in the first place?