Editing Fail-safe (section)

===Electrical or electronic===
Examples include:
*Many devices are protected from [[short circuit]] by [[fuse (electrical)|fuses]], [[circuit breaker]]s, or [[current limiting]] circuits. The electrical interruption under overload conditions will prevent damage or destruction of wiring or circuit devices due to overheating.
*[[Avionics]]<ref>{{cite book |title=A Dictionary of Aviation |first=David W. |last=Wragg |isbn=9780850451634 |edition=first |publisher=Osprey |year=1973 |page=127}}</ref> using [[redundancy (engineering)|redundant systems]] to perform the [[triple modular redundancy|same computation using three different systems]]. Different results indicate a fault in the system.<ref>{{cite book
 |last         = Bornschlegl
 |first        = Susanne
 |title        = Ready for SIL 4: Modular Computers for Safety-Critical Mobile Applications
 |publisher    = MEN Mikro Elektronik
 |year         = 2012
 |url          = https://www.menmicro.com/downloads/search/dl/sk/%22White%20Paper%3A%20Ready%20for%20SIL4%3A%20Modular%20Computers%20for%20Safety-Critical%20Mobile%20Applications%22/dx/1/
 |format       = pdf
 |access-date  = 2015-09-21
 |archive-date = 2019-06-09
 |archive-url  = https://web.archive.org/web/20190609205912/https://www.menmicro.com/downloads/search/dl/sk/%22White%20Paper%3A%20Ready%20for%20SIL4%3A%20Modular%20Computers%20for%20Safety-Critical%20Mobile%20Applications%22/dx/1/
 |url-status   = dead
}}</ref>
*[[Drive-by-wire]] and [[fly-by-wire]] controls such as an Accelerator Position Sensor typically have two potentiometers which read in opposite directions, such that moving the control will result in one reading becoming higher, and the other generally equally lower.  Mismatches between the two readings indicates a fault in the system, and the [[engine control unit|ECU]] can often deduce which of the two readings is faulty.<ref>{{cite web|url=http://www.obd-codes.com/p2138|title=P2138 DTC Throttle/Pedal Pos Sensor/Switch D / E Voltage Correlation|website=www.obd-codes.com}}</ref>
*[[Traffic light]] controllers use a ''Conflict Monitor Unit'' to detect faults or conflicting signals and switch an intersection to an all flashing error signal, rather than displaying potentially dangerous conflicting signals, e.g. showing [[green]] in all directions.<ref>Manual on Uniform Traffic Control Devices, Federal Highway Administration, 2003</ref>
*The automatic protection of programs and/or processing systems when a [[computer hardware]] or [[software]] failure is detected in a [[computer system]]. A classic example is a [[watchdog timer]]. See [[Fail-safe (computer)]].
*A [[control operation]] or function that prevents improper system functioning or [[catastrophic failure|catastrophic]] degradation in the event of [[electronic circuit|circuit]] malfunction or operator error; for example, the failsafe [[track circuit]] used to control [[railway signaling|railway block signal]]s. The fact that a flashing amber is more permissive than a solid amber on many railway lines is a sign of a failsafe, as the relay, if not working, will revert to a more restrictive setting.
*The iron pellet ballast on the [[Bathyscaphe]] is dropped to allow the submarine to ascend. The ballast is held in place by [[electromagnet]]s. If electrical power fails, the ballast is released, and the submarine then ascends to safety.
*Many [[nuclear reactor]] designs have neutron-absorbing control rods suspended by electromagnets. If the power fails, they drop under gravity into the core and shut down the chain reaction in seconds by absorbing the neutrons needed for fission to continue.
*In [[industrial automation]], alarm circuits are usually "[[normally closed]]". This ensures that in case of a wire break the alarm will be triggered. If the circuit were normally open, a wire failure would go undetected, while blocking actual alarm signals.
*Analog sensors and modulating actuators can usually be installed and wired such that the circuit failure results in an out-of-bound reading – see [[current loop]].  For example, a potentiometer indicating pedal position might only travel from 20% to 80% of its full range, such that a cable break or short results in a 0% or 100% reading.
*In control systems, critically important signals can be carried by a complementary pair of wires (<signal> and <not_signal>). Only states where the two signals are opposite (one is high, the other low) are valid. If both are high or both are low the control system knows that something is wrong with the sensor or connecting wiring. Simple failure modes (dead sensor, cut or unplugged wires) are thereby detected. An example would be a control system reading both the [[normally open]] (NO) and [[normally closed]] (NC) poles of a [[switch#Contact terminology|SPDT]] selector switch against common, and checking them for coherency before reacting to the input.
*In [[HVAC control system]]s, [[actuators]] that control dampers and valves may be fail-safe, for example, to prevent coils from freezing or rooms from overheating. Older [[pneumatic actuators]] were inherently fail-safe because if the air pressure against the internal diaphragm failed, the built-in spring would push the actuator to its home position – of course the home position needed to be the "safe" position. Newer electrical and electronic actuators need additional components (springs or capacitors) to automatically drive the actuator to home position upon loss of electrical power.<ref>{{cite web|title=When Failure Is Not an Option: The Evolution of Fail-Safe Actuators |date=29 October 2015 |url=https://www.kmccontrols.com/blog/when-failure-is-not-an-option-the-evolution-of-fail-safe-actuators/ |publisher=KMC Controls |access-date=12 April 2021 }}</ref>
*[[Programmable logic controller]]s (PLCs). To make a PLC fail-safe the system does not require energization to stop the drives associated. For example, usually, an emergency stop is a normally closed contact. In the event of a power failure this would remove the power directly from the coil and also the PLC input. Hence, a fail-safe system.
*If a [[voltage regulator]] fails, it can destroy connected equipment. A [[crowbar (circuit)]] prevents damage by short-circuiting the power supply as soon as it detects overvoltage.