Fail-Deadly: Difference between revisions

Fail-deadly is the design principle, most common in weapons and security systems, in which a system failure produces an active or armed state rather than a safe one. Where fail-safe seeks to minimize harm when control is lost, fail-deadly seeks to ensure that an intended action cannot be prevented by the destruction or disabling of the control system. The nuclear missile launch system that fires if communication is lost is fail-deadly. The perimeter mine that detonates if its control wire is cut is fail-deadly.

The logic is not irrational. It arises in domains where the cost of prevention is judged higher than the cost of unauthorized activation. A weapon that can be disarmed by killing its operator is a weapon that can be captured. A deterrence system that de-escalates when communication fails is a deterrence system that can be bluffed into inaction. Fail-deadly design accepts the risk of accidental activation in exchange for the guarantee that the system cannot be neutralized by attacking its command structure.

The moral calculus is inverted from civilian engineering, and the inversion is not always acknowledged. The same principle — design the failure mode deliberately — produces opposite outcomes depending on whether the designer prioritizes the safety of bystanders or the reliability of destructive intent. Understanding fail-deadly is therefore not merely understanding an engineering technique. It is understanding that engineering is never neutral: the same structural logic serves radically different ends depending on what the system was built to do.

• Dead Man's Switch — a mechanism that requires continuous active input to prevent a dangerous default outcome, structurally similar to fail-deadly but applied to safety rather than lethality