The concept of fail-safe is in prac

The concept of fail-safe is in practice mainly used for specific methods and principles for keeping the system safe in case of failure, such as shutting down the components or the entire system.

Basically, there are two modes of fail-safe (in this narrower construal): fail-silence and fail-operational.

Fail-silence means that the system is stopped when a critical failure is detected, prohibiting any harmful event from occurring.

An electrical fuse is a paradigmatic example of a fail-silence application, as is the dead man’s handle that stops the train when the driver falls asleep.

Fail-operational means that the system will continue to work despite the fault [37].

(Sometimes a distinction is made between partial operational (‘‘fail-active’’) and fully operational; c.f. Hammer [2].)

In aviation, fail-operational systems are paramount; airborne failures may lead to partial operational restrictions, but system shutdown is normally not a particularly safe option.

A safety-valve is another paradigmatic fail-operational device; if the pressure becomes too high in a steam-boiler, the safety-valve lets out steam from the boiler (without shutting down the system).