Safe Fail

[Rosalia Kemme]

Inengineering, a fail-safe is a design feature or practice that, in the event of a failure of the design feature, inherently responds in a way that will cause minimal or no harm to other equipment, to the environment or to people. Unlike inherent safety to a particular hazard, a system being "fail-safe" does not mean that failure is naturally inconsequential, but rather that the system's design prevents or mitigates unsafe consequences of the system's failure. If and when a "fail-safe" system fails, it remains at least as safe as it was before the failure.[1][2] Since many types of failure are possible, failure mode and effects analysis is used to examine failure situations and recommend safety design and procedures.[3]

Some systems can never be made fail-safe, as continuous availability is needed. Redundancy, fault tolerance, or contingency plans are used for these situations (e.g. multiple independently controlled and fuel-fed engines).[4]

Fail-safe (foolproof) devices are also known as poka-yoke devices. Poka-yoke, a Japanese term, was coined by Shigeo Shingo, a quality expert.[11][12] "Safe to fail" refers to civil engineering designs such as the Room for the River project in Netherlands and the Thames Estuary 2100 Plan[13][14] which incorporate flexible adaptation strategies or climate change adaptation which provide for, and limit, damage, should severe events such as 500-year floods occur.[15]

Fail-safe and fail-secure are distinct concepts. Fail-safe means that a device will not endanger lives or property when it fails. Fail-secure, also called fail-closed, means that access or data will not fall into the wrong hands in a security failure. Sometimes the approaches suggest opposite solutions. For example, if a building catches fire, fail-safe systems would unlock doors to ensure quick escape and allow firefighters inside, while fail-secure would lock doors to prevent unauthorized access to the building.

During the Cold War, "failsafe point" was the term used for the point of no return for American Strategic Air Command nuclear bombers, just outside Soviet airspace. In the event of receiving an attack order, the bombers were required to linger at the failsafe point and wait for a second confirming order; until one was received, they would not arm their bombs or proceed further.[16] The design was to prevent any single failure of the American command system causing nuclear war. This sense of the term entered the American popular lexicon with the publishing of the 1962 novel Fail-Safe.

(Other nuclear war command control systems have used the opposite scheme, fail-deadly, which requires continuous or regular proof that an enemy first-strike attack has not occurred to prevent the launching of a nuclear strike.)

Getting people to think safe-fail in organisational cultures that are fail-safe is very difficult. It is not just a matter of management saying that failure is permitted it is also about making some very dramatic interventions to indicate that you really mean it. Most people working in large (or even small) organisations know that the reality of life is that people who succeed but do not learn, progress faster than people who learn through partial failure. Total failure should not be tolerated as it indicates Fail-safe badly executed, but Fail-safe with luck involves no learning, and there is often more contextual luck in stories of Executive success than there is judgement. Rewarding failure is a hard pill to swallow but a necessary one for organisations.

It sounds like, based on other posts, that fail safe language can be limiting. In the document I am using, if I choose fail safe, then the Plan must pass 410(b) by the ratio percentage test. If I do not choose fail safe, then the Plan does not seem to contain any language about how to fix a failed 410b or 401(a)(4) test. Would I just use the corrective amendment route? Is it OK that the Plan does not specify that I should use the corrective amendment option? This is all theoretical, I am doing the GUST amendment and trying to pick out the best language.

The IRS made us remove all failsafe language from our xtested docs. And I thought others had to do the same. What is the status of the one you are referencing? Could this be pre-GUST and therefore a moot point?

The reviewing agent and I had a long discussion about this regarding my volume submitters. They orginially insisted that this option be taken out. Ultimately he let me keep this in. His problem was a defintely determinable issue and I convinced him that as long as the method for the "add back" was spelled out and there was no employer discretion with the add back, you should not have a DD problem

Lynn, I think it depends on attitude. Some people like it, some people don't. I prefer not to have the fail-safe language because it specifies a singular correction methodology when, if not specified in the plan, a plan sponsor might have multiple options for correction.

There are some that argue that the cost of compliance is reduced with fail-sae language. I agree as to the impact on time necessary to fashion a correction. That is a given. If the correction is mandated it takes almost no time at all to fashion a correction: just follow the document as it exists. But I have found that the time involved in fashioning a correction is frequently less than the cost of a fail-safe correction. That isn't always the case, though, so it remains a judgement issue at that level.

There are also people who like the fail safe language because it allows untended plans to claim a violation only of operational compliance (we failed to follow the terms of our document, so we will just do what we should have done under EPCRS and be fine), rather than a violation of the non-discrimination rules that requires a retroactive amendment under EPCRS.

I certainly agree that if a plan is not going to be tended, it will likely be in a better document position to have the fail safe language once a problem is discovered. Howver, this isn't always the determining factor. Even then, a non-fail safe plan might be able to fashion a correction that is less costly.

How do you correct a 410(b) failure under EPRSC by retroactive amendment? Would you have to submit the amendment to the IRS for approval? There doesn't seem to be a whole lot about correcting demographic failures in the Rev. Proc. Thanks.

LinkedIn and 3rd parties use essential and non-essential cookies to provide, secure, analyze and improve our Services, and to show you relevant ads (including professional and job ads) on and off LinkedIn. Learn more in our Cookie Policy.

Our relationship with failure is broken in the workplace. A few bright spots exist where employees feel safe to innovate by trial and error, but for the most part, we talk a good game and do everything in our power to avoid it. Bestselling author Anita Moorjani and I talked about how fear perpetuates our failure avoidance and how to get past it.

When you begin to frame your growth opportunities in this context, demonstrate your commitment by modeling your willingness to learn from failure. Consider a fail-fest contest or pilot campaign where employees feel encouraged to think outside the box and either submit ideas for testing or lead the project. By orchestrating a testing environment, you normalize and expect failures, making it more acceptable outside of these events.

A silver lining of the pandemic has been our increasing focus on individual well-being. For many of us, blending our work with being at home helps us tap into our personal lives to restore our reserves quicker and bounce back from failure. Going on a walk to push reset or using what was commute time to catch a meal with loved ones is now possible.

Fail-safe provides a (non-configurable) 7-day period during which historical data may be recoverable by Snowflake. This period startsimmediately after the Time Travel retention period ends. Note, however, that a long-running Time Travel query will delay moving any data andobjects (tables, schemas, and databases) in the account into Fail-safe, until the query completes.

Fail-safe is not provided as a means for accessing historical data after the Time Travel retention period has ended. It is for use only bySnowflake to recover data that may have been lost or damaged due to extreme operational failures.

Also, for fail-safe Collections, when multiple threads try to access a Collection, you won't get a ConcurrentModificationException because each thread is working on its own copy of it. I was wondering does this mean, that an actual physical copy of the Collection is created in the memory for each thread?

Ummm ... if by "fail-safe" you mean that you can't get a ConcurrentModificationException, then then the answer is No. You can get that exception with a Hashtable when you use an Iterator on it. The javadoc states that explicitly.

In some cases the iterator is working off a copy that is not going to be modified. In other cases, the iterator is working off something that could be modified and/or that doesn't represent a consistent snapshot of the collection at all. It really depends on how the "fail-safe" behaviour is specified for the specific collection class that you are talking about. (And one of the good things about the collection classes is that they clearly specify what you can and cannot rely on. You just need to read the specifications carefully to make sure that you really understand them!!)

The Enumeration objects returned by Hashtable are NOT guaranteed to be fail-safe. What the javadocs state is that the Enumeration are not fail-fast. What actually happens when you modify a Hashtable and enumerate it at the same time is not specified. (If you really want to know, look at the source code for the specific version of Java you are using.)

The iterators returned by the iterator method of the collections returned by all of this class's "collection view methods" are fail-fast: if the Hashtable is structurally modified at any time after the iterator is created, in any way except through the iterator's own remove method, the iterator will throw a ConcurrentModificationException. Thus, in the face of concurrent modification, the iterator fails quickly and cleanly, rather than risking arbitrary, non-deterministic behavior at an undetermined time in the future. The Enumerations returned by Hashtable's keys and elements methods are not fail-fast.

3a8082e126