It is not possible to design fail proof product. It can be designed to be failsafe. Design of atomic power plant is one example. There were many accidents in the plans. However these were contained safely. The design of fail safe systems can be subdivided in
1) component selection/use and
The examples of component failure resulting in system failure are
1) push button opening after a long time
2) a potentiometer opening it’s wiper.
The component selection examples are as follows.
A potentiometer in a feedback circuit should be connected as shown.
While using it, it is natural for a used wiper to loose the contact with track. Right connection limits the fault. In other case, it may lead to total failure. For this reason it is better to adjust the reference to adjust the output than setting the feedback. This arrangement is used in DC drives. Battery chargers etc.
One more example from instrumentation side is to break thermocouple protection. It is normal for a thermocouple to open after a long use. Since it is in the feedback path, output temperature shoots up to highest value. A small circuit used to detect break helps in avoiding this.
A set reset flip-fop, as shown in the figure can be set and reset by the push buttons. Note that a normally closed push button is used and it does not short on pressing, then the circuit will not reset. Also note that an inverter is used on Q-bar, to drive the relay. It was possible to use output Q directly. However if both inputs are present (signals from some other logic circuits) then both outputs will be high. For avoiding this and making sure that Q-bar (OFF) prevails, use of inverter is necessary.
In microprocessor based circuits, microprocessor is used for checking other circuit components failure in the system. The microprocessor’s own failure is detected by using watchdog timer. After the hardware detection circuit shuts off the system as per the requirements.
The system design examples are as follows:
A protection relay designed to switch ON, in case of fault, mat not come on if it’s power supply is bad or connections are loose. A single-phase preventer working on zero sequence is one such example. Hence protection relays are kept on in healthy condition and go off on fault. A fault-indicating lamp should go off on fault, for reasons explained above.
A three-phase motor is used in forward/reverse mode with two contractors. The control circuit below shows clearly that both contactors cannot be switched on simultaneously (thus avoiding short-circuiting the lines). If motor is switched on in forward direction (or reverse direction), it is necessary to switch it off before reversing.
In case of DC motor drives, dynamic breaking is used in case of power failure. The regenerative breaking requires power for line communication of thyristors and hence to operate in case of power failures.
PLC Redundancy is another method of making design fail-safe. The redundancy can be achieved in many cases by Oring the circuits, or paralleling them. Filament type indicating lamps have limited life. When these are used in fault annunciators, two lamps are connected in parallel. There are lesser chances of both lamps failing simultaneously, resulting in the redundancy. Similarly two battery cells can also be connected in parallel, with a series fuse for each cell for isolating the faulty cell. The cells can be Ored by using diodes (again this serves isolation of faulty cell).
When using fault tripping circuits, and avoiding nuisance tripping, these are Ored and majority voting is used.
In circuits where input signals change continuously, a standard signal is used for checking the operation and if found faulty, the other circuit is brought into picture. In C-Dot exchanges all control and power supply cards are used in redundancy mode.