Glossary term
Safe State
Engineering definition of a safe state covering fail-safe behavior, fault-to-safe time, stored energy, reset rules and validation evidence.
Definition
conceptA safe state is a defined system condition in which risk has been reduced to an acceptable level for the relevant fault, operating mode or human exposure.
A safe state may mean power removed, motion stopped, pressure vented, torque disabled, therapy halted, brakes applied, outputs de-energized, payload shut down, controller authority reduced, or a latched fault requiring deliberate reset. It is not always the same as off, and it must be defined from the hazard, stored energy, timing and recovery requirements.
A safe state is the condition a system must reach when a fault, hazardous access, invalid command, unsafe measurement, communication loss or degraded mode requires risk reduction. It is the target condition, not the mechanism. An interlock, watchdog, protection relay, controller, brake, valve, shutdown trip or operator procedure may drive the system toward a safe state, but the safe state itself must be defined and verified.
The safe state is not always “off.” A spacecraft safe mode may keep heaters and communications alive. A medical device may stop therapy while preserving alarms. A power converter may disable gate drive while maintaining discharge monitoring. A robot cell may stop hazardous motion while keeping diagnostics energized.
State Definition
A safe state should be written as explicit conditions, not a vague label. A simple logical screen is:
where the hazardous output is removed or controlled, stored energy is below the accepted limit and restart is blocked until the reset rule is satisfied. The exact terms depend on the hazard. For a motor drive, torque may matter. For a pressure system, vented pressure may matter. For a medical device, dose delivery and alarm state may matter.
Fault-to-Safe Timing
The time to reach a safe state can be budgeted as:
The timing requirement is:
The safety margin is:
This timing should include real sensing, logic, communication, actuator response, mechanical stop, valve closure, relay dropout, brake engagement, discharge or stabilization behavior. A software bit changing state is not enough if the physical hazard persists.
Stored Energy
Safe-state design must consider stored energy. Rotating inertia, elevated load, compressed air, hydraulic pressure, charged capacitors, hot surfaces, chemical inventory and battery energy can remain hazardous after a command is removed.
For a first-order discharge or decay screen:
The time to fall below the safe energy threshold is:
This model is only a screen. Real discharge paths need component tolerances, fault conditions, temperature, contact state and measurement evidence.
Worked Example
A guarded electromechanical station must reach a safe state before a person can access the hazard. The access time is:
The measured chain is:
and:
The fault-to-safe time is:
The margin is:
Now check stored energy. A capacitor bank starts with:
The accepted maintenance threshold is:
With discharge time constant:
the discharge time is:
Because 0.447 s is less than the 0.850 s access time, the first screen passes. The release still needs measured voltage or energy evidence under worst-case tolerance, not only the nominal calculation.
Boundary With Interlocks
An interlock is a constraint or mechanism. The safe state is the condition that the mechanism must achieve. Opening a guard switch is not the safe state. Stopped motion, disabled torque, blocked restart and verified access timing may be the safe state.
This distinction prevents weak validation. A test that proves only that an input bit changed does not prove the physical system is safe.
Recovery And Reset
A safe state should include restart rules. Many incidents occur after the initial trip, when equipment restarts unexpectedly, a latch is cleared without diagnosis or a controller boots with outputs enabled. A strong safe-state definition states whether reset is automatic, manual, local, remote, latched, supervised or inhibited until conditions are revalidated.
Degraded modes should also be named. A controlled degraded mode may be acceptable when risk is bounded and visible. A hidden degraded mode is not a safe state if operators or software continue as if the system were nominal.
Validation Evidence
Useful evidence includes hazard analysis, state-transition table, timing traces, stop-time measurement, actuator or relay dropout evidence, stored-energy discharge records, output-state measurements during reset and brown-out, interlock proof tests, watchdog fault injection, communication-loss tests, startup and recovery tests, alarm records and restart-inhibit verification.
Common mistakes include defining the safe state as “system off” without checking stored energy, treating a software flag as physical safety, ignoring restart behavior, omitting degraded modes, relying on a watchdog reset without output evidence, assuming a valve or relay reaches the safe position, and validating nominal trips without fault injection. A defensible safe-state claim states the hazard, the required state, the time limit, the reset rule and the evidence that the physical system reaches that state.