Fail Safe: A Dangerous Misconception

“They’ve thought of everything. Everything, that is, but their own failure.”  — K. Austin Collins

I recently watched the 1964 movie, Fail Safe, directed by Sidney Lumet. It reminded me of a dangerous misconception I frequently encounter during process hazard reviews.

If you are not familiar with the movie, it came out shortly after the Cuban missile crisis. It stars Henry Fonda as the President of the United States who has a series of increasingly terrible decisions to make after an electromechanical failure at Strategic Air Command inadvertently sends a bomber group armed with nuclear weapons to attack Moscow.

It doesn’t end well.

What Does “Fail Safe” Mean?

The most common definition of fail-safe, the one that resonates with most people, is “having no chance of failure, infallibly problem-free.” This definition reminds me of the term “fool-proof,” about which a good friend was fond of saying, “Never underestimate the ingenuity of fools—the best we can do is fool-resistant.”

A more reasonable definition is “incorporating some feature for automatically counteracting the effect of an anticipated possible source of failure.” Key to this definition is the phrase “an anticipated possible source of failure.” Fail-safes are built in response to specific sources of failure. They don’t counteract all anticipated sources of failure. Nor do they counteract unanticipated sources of failure, except coincidentally.

During a Hazard Review

This is a question that often comes up during a PHA: “So, what happens if this valve fails open?”

Sadly, the answer is often, “It can’t fail open. It’s a fail-closed valve.” Then someone points to the P&ID and they’re correct. Right there on the P&ID, the valve is marked “FC”. Other valves, such as vent valves, are marked “FO” for fail-open valves. They have said out loud what many others believe: A fail-closed valve is a fail-safe valve that has no chance of failing to the open position, that it will infallibly go to the closed position upon any failure associated with that valve.

Once those beliefs are expressed in words—“no chance of failing to the open position”, “infallibly go to the closed position”, “upon any failure”—many will understand how unrealistic the expectation of an infallible fail-closed valve is.

So, what is realistic?

How Does a Fail-Safe Valve Work?

The most anticipated failure associated with an actuated valve is not a mechanical failure of the valve. It is the loss of the energy source that actuates the valve. That means the loss of electrical power in the case of a solenoid valve or the loss of instrument air pressure in the case of a pneumatically operated valve. Making a valve “fail-safe” means deciding what position the valve should go to in order to be “safe”, then setting it up so that its actuator is de-energized when in that position and energized when in the other position.

A “fail-closed” valve is one that is energized to go to the open position and de-energized to go to the closed position. An example is a valve that is “air-to-open, spring-to-close”.

Likewise, a “fail-open” valve is one that is energized to the closed position and de-energized to the open position. In other words, “air-to-close, spring-to-open”.

A third option is a “fail-last” valve. It is a valve that must be energized to go to the open position and must be energized to go the closed position. When it is de-energized, there is no motive force to move the valve to any other position.

Of course, valves can experience other failures. Shafts can stick. Springs can break. Seals can become fouled. That means that a fail-close valve can fail in the open position, that a fail-open valve can fail in the closed position, and a fail-last valve can somehow end up in a different position. They are all far less likely than loss of energy, which would cause a valve to fail as intended, but they are possible. Many deal with this by assuming an average probability of failure on demand (PFDavg) of 0.1 when considering a failure to the de-energized position, and a PFDavg of 0.01 when considering a failure to the energized position.

What’s In a Name?

The problem is not in the design of the valves, but in what we call them. A valve that closes when de-energized will work the same whether we call it fail-closed (FC) or de-energize to close (DTC). However, people responsible for identifying and addressing hazards are less likely to misunderstand the hazards if the names are better descriptors.

Long-established naming conventions are hard customs to overcome. We’ve been talking about fail-closed valves and fail-open valves for decades. It’s what we’re used to. But this naming convention is an obstacle to safety. Not a big obstacle, but an obstacle. Anything we can do to remove obstacles to safety will make our processes and workplaces safer.

That’s a good thing.

Meanwhile

Only one character in the movie, Fail Safe, was a technical person. The other characters were all politicians and military personnel. When challenged on how fool-proof the system was, the engineer said, “The fact is, the machines work so fast, they are so intricate, the mistakes they make are so subtle, that very often a human being just can’t know whether a machine is lying or telling the truth.” That was in 1964. It’s no less true now.

We can’t change the naming conventions for fail-safe valves immediately. Perhaps we can never change them. But we can make sure that everyone involved understands exactly what those naming conventions mean. That will make our safety reviews better, and so, will make our processes and workplaces safer.