> Fail safe means that a failure is possible and even expected, 
> but that when
> it happens, it will do so in a way that is the least likely 
> to do damage.
> The device "Fails" in a "Safe" way.

> Some (rather bad) examples include:
> Fail safe is when there is a shroud under the fuel pump that 
> directs leaking gasoline away from the exhaust headers.

That is an attempt at 1-fail safe: one failure will probably not lead to
a catastrophic result. For realy 1-fail safe there should be indicators
for both leaking and shroud failure. Otherwise one could be driving a
car with a damaged shroud, which would no longer be 1-fail safe.

The robot arm for which I once worked was (designed to be) 3-fail safe
(and 1-fail operational). Here is a description:
http://adsabs.harvard.edu/abs/1998dsa..conf..321B

Note that to realy pin down 'N-fail safe' one must provide a lot of
additional definitions:
- what is catastrophic
- what is independent
- how are your components 'allowed' to fail
- is man-in-the-loop allowed
- how long must the N-fail-safe last (components wear down, especially
in space!)
etc

Wouter van Ooijen

-- -------------------------------------------
Van Ooijen Technische Informatica: www.voti.nl
consultancy, development, PICmicro products
docent Hogeschool van Utrecht: www.voti.nl/hvu
 

-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist