What is a fail safe design?

[zrzr]

Guys,

I have been wondering, what do people mean by designing a fail-safe design e.g. shutdown system? I've give it a scenario. Is it :

a) When there is a power/supply failure in a system, all the shutdown system will go into a safe state, whereas shutdown valves shall be closed and blowdown valves shall be open? (fail close & fail open valves).

or

b) When there is a power/supply failure in a system, all the shutdown system would be unaffected and remain running flawlessly at it's healthy / initial state?

Hope you guys help to explain this for me, because I'm getting pretty much confused with all the variations of answers from my colleagues.

Thank you in advance.

 

[IRstuff]

By definition, it's a system that remains safe, regardless of the failure mode. That usually means that the system ceases operation in safe manner. How you implement that is up to you.

That said, a system that remains running safely, regardless of failure is technically "fault tolerant," although one could consider that to be "fail safe" as well. However, since such a system is still running with failed components, you cannot tell that it's overtly failed, and may wind up ignoring, or not fixing, the failure, potentially leading to a worse problem later.

TTFN

FAQ731-376

 

[JLSeagull]

For field devices such as shutdown valves, fail safe requires a spring that moves the valve to the predetermined safe position upon loss of energy sources. If you loose either the power to a solenoid valve or the pneumatic supply a shutdown valve would close.

Often blowdown valves are not exactly fail safe. I worked projects where the blowdown valve would not open upon loss of the electrical signal but would open upon loss of pneumatic supply.

Some type actuators without a spring use other stored energy that can move the valve for one or two cycles. An example is a vane actuator or double acting piston with gas or air accummulator, perhaps pressuring hydraulic oil. However if a fire ruptures the tubing from the stored energy source the valve would not move. This could be designed to "fail safe" electrically but would not actually be fail safe. Some systems are suitable for this level of failure. However if the requirement is really fail safe then it requires mechanical energy from a spring, stored pneumatic energy is not adequate.

 

[zdas04]

zrzr,
Notice how both of the posts above are careful NOT to specify a generic fail position. That is exactly correct. Each valve needs to be evaluated for each failure mode. For example, on loss of air I want a dump valve to fail shut, but I want a throttle valve to fail as is. It is very rare for you to want a vent to fail open (but it can happen, the Engineer needs to do that analysis and decide).

"Fail Safe" is absolutely not synonymous with "Fail Shut", "Fail Open", or "Fail As Is". I have seen situations where an actuated block valve was adjacent to an actuated throttle valve--in that particular situation the block valve was Fail-Closed on all failure scenarios and the throttle valve was Fail-As-In on all scenarios.

By "failure", control valve scenarios are all "loss of control" not process failure. You can set program logic to close a block valve on high fluid level, that is "control" not "failure". It is important not to confuse the two. If you have a pneumatic valve that has the air supply controlled by a solenoid valve then you need to decide what you want the valve to do if you lose electricity in the shut mode, what to do if you lose electricity in the open mode, what to do if you lose pneumatic pressure.

"Fail Safe" is a Hollywood term that does not convey adequate precision to be a useful Engineering term.


David Simpson, PE
MuleShoe Engineering

http://www.muleshoe-eng.com

Please see FAQ731-376 for tips on how to make the best use of Eng-Tips Fora.

"It is always a poor idea to ask your Bridge Club for medical advice or a collection of geek engineers for legal advice"

 

[JLSeagull]

My post was early, 6:03 a.m. in my time zone. I avoided safety shutdown system details and measurement instrument failure details.

My response is dancing around the valve actuators furnished by another contractor at the request of an operating company for riser valves on offshore platforms in a country south of the USA. Most of these valves ranging from NPS 24 to NPS 36 including sour gas and acid gas used vane type actuators. In the event of a fire the stored energy could not close the valves. The actuators have hand hydraulic pumps at the valves in the cellar level below the unit operating decks. In the event of a fire with damage to the tubing, no operator short of "Superman" would pump the hydraulic jacks the hundred or more strokes to close a valve even if the hand jacks could work.

Instead of the vane actuators, one contractor used a single acting Scotch yoke style piston actuator on instrument air - with a backup air supply accummulator and double check valves on the air system. I suppose that the accummulator assures adequate air flow when opening the valve. This was a safer installation for the application.

I think that the fail-last positioners that come to mind apply to dampers on balanced draft heaters.

 

[zrzr]

Thank you so much guys for the answers.

So the conclusion is that, a fail safe shutdown valve would in particular shall have a mechanical drive (spring return) to move it to a predetermined safe position.

And, vane or double piston valves are not actually fail safe, reason being that the accumulator / source can be interrupted.

In other words, when there is power source (i.e. pneumatic, hydraulic or electric) loss, any shutdown valves shall react as per the Cause and Effect matrix (predetermined) state.

Please correct me if I'm still in the wrong regime & thanks again.

 

[zdas04]

The important thing you left out of your synopsis is that you need to write down everything that can fail and determine what position you want each control valve in if that failure happens. There can be any number of failures and every one of them needs a decision. Sometimes you need springs. Sometimes you need accumulators. Sometimes you don't need anything (e.g., a valve that is driven in both directions could very easily be safest if it is Fail-As-Is).

David

 

[IRstuff]

Not sure what everyone else calls it, but in aerospace, one does a Failure Modes, Effects, and Criticality Analysis (FMECA) prior to doing the mitigation design. You have to identify all the failure modes, what the impact and effect of the failures are going to be, the criticality of the failure, i.e., will it cause catastrophic consequences, kill people, maim people, or slag the hardware.

Only then can you determine what mitigations you must apply, if any, and re-analyze your mitigation design for its failure modes and effects.

TTFN

FAQ731-376

 

[zdas04]

IRstuff, it is a WAY bigger deal in aerospace than most anywhere else (and rightly so). I think in most industries they call it "Engineering" or "doing your damned job".

David

 

[IRstuff]

It's actually a "big" deal in anything electronic. You could have, literally, millions of potential failures withing a single circuit board.

We get paid by the hour for our "job" so everything needs to be named ;-)

TTFN

FAQ731-376