Failsafe

  • Published
  • By Lt. Col. Robert Garner
  • 341st Missile Wing Safety Office
MALMSTROM AIR FORCE BASE, Mont. (AFNS) --  Failsafe is a term that is embedded into our strategic heritage, but it is also a term that can be easily misunderstood and misapplied.

Knowing how to plan operations and design materiel so that it fails in a safe mode is a vital capability that is needed in all, but especially nuclear, operations.

Failsafe is defined by Merriam Webster as: "incorporating some feature for automatically counteracting the effect of an anticipated possible source of failure; being or relating to a safeguard that prevents continuing on a bombing mission according to a preconceived plan; having no chance of failure: infallibly problem-free."

How do you know an operation or system is failsafe? One technique is to use a "what if" analysis. Look at the procedures, go through each step and ask at each step, "What if it fails here?"

If the answer is a mishap, then that step is not failsafe and you can the eliminate the problem by modifying the device.

An example of this is the Otis elevator brake. Prior to the Otis device, if an elevator's cable broke, the elevator fell to the bottom of the elevator shaft. This is not a good failure mode. As such, Elisha Graves Otis invented an elevator brake that automatically engages when the cable breaks. This is a prime failsafe example. When the cable fails, the elevator stops safely.

Other failsafe techniques involve modifying procedures. United States Navy doctrine instructs pilots to land airplanes on carriers under full power. The reason for this is that in order to stop on a carrier, an aircraft has a tail hook that must catch a cable attached to the deck of the carrier. If that cable breaks, or if the hook misses all the cables and the aircraft isn't under full power, it will likely crash into the ocean.

By being under full power upon landing, an aircraft has the ability to climb to safety. This ensures that if either the cable or the pilot's skill to catch the cable fail then the failure mode is a safe one--climbing to safety rather than going into the sea.

Some things we do when trying to create a failsafe system actually don't serve a failsafe purpose.

For example, while inspections and audits are often the first things we do to try and prevent mishaps, they often do not really make things failsafe.

If we refer to the elevator example, depending on how frequently the elevator is inspected, inspecting the cables on a periodic basis could reduce the probability of the elevator failing. However, without the Otis device, it wouldn't reduce the catastrophic results when the elevator did fail. 

Thus while inspections and audits can be a vital mishap prevention tool, you really need to use them in conjunction with failsafe measures in order to have a failsafe system.

So, how can this apply to you? Look at the things you do at work or at home on a daily basis. Ask "what if" questions, and if the answer you get isa mishap, then try to find ways to failsafe that part of the operation by either seeking better material or changing procedures.