I work for a large rail transit agency and many of our new vehicles and track signaling installations use some kind of "checked redundant control system" (multiple processors running on several diverse algorithms) for implementing safety critical functions.

However the "activation level switches" that initiate the final commands associated with many of the safety critical functions are some kind of FET switching transistors. The FETs are quite commonly used instead of the old fashioned electro-mechanical relays which are considered fail-safe.

Is anyone familiar with how these transistors are designed so they can be trusted to fail only in the open or OFF condition?

 

I work for a large rail transit agency and many of our new vehicles and track signaling installations use some kind of "checked redundant control system" (multiple processors running on several diverse algorithms) for implementing safety critical functions.

However the "activation level switches" that initiate the final commands associated with many of the safety critical functions are some kind of FET switching transistors. The FETs are quite commonly used instead of the old fashioned electro-mechanical relays which are considered fail-safe.

Is anyone familiar with how these transistors are designed so they can be trusted to fail only in the open or OFF condition?

A normal (enhancement mode) FET will fail in the off position, while a depletion mode FET will fail in the on position.
Source: http://en.wikipedia.org/wiki/Depletion_and_enhancement_modes
But I cannot tell you for sure if they will always fail that way, it might depend on the nature of the event that caused its failure, in the first place. Even if they did, if your application is critical, I'd use an extra layer of redundant security.
Now that I think of it, not even electro-mechanical relays are 100% fail-safe when it comes to determining the way they will fail... the contacts could get stuck or welded together, again depending on the nature of the event.

 

The electro-mechanical relays used in railway applications (often called "vital" relays) are specially designed for safety critical functions and feature non-welding copper to carbon contacts.

http://www.morssmitt.com/railway/click_the_train.htm

The older equipment in our subway has about 4300 of these vital relays and it has been in operation for about 35 years without a hazardous failure. However the newer installations (from the mid 90s) use checked redundant processors with FET outputs. We also have track switch controls that use Hall Effect proximity sensors to monitor the position of the rails in order for the train wheels to pass over the switch.

So far, none of these pure electronic devices have experienced an unsafe failure.

 

The electro-mechanical relays used in railway applications (often called "vital" relays) are specially designed for safety critical functions and feature non-welding copper to carbon contacts.

http://www.morssmitt.com/railway/click_the_train.htm

The older equipment in our subway has about 4300 of these vital relays and it has been in operation for about 35 years without a hazardous failure. However the newer installations (from the mid 90s) use checked redundant processors with FET outputs. We also have track switch controls that use Hall Effect proximity sensors to monitor the position of the rails in order for the train wheels to pass over the switch.

So far, none of these pure electronic devices have experienced an unsafe failure.

Then it all lies in the nature of the design... redundant protection, intrisincal safety and continuous closed-loop monitoring... those are all elements of life support systems, for instance. I'm no expert in that field, but if I ever needed the level of safety that you're requesting, that's where I'd start looking for examples.