Fail Safe in Level Instruments: What It Is and Why It Matters

Every level instrument will fail at some point. The question is not whether it will, but what happens when it does.

A fail-safe design answers that question before failure occurs. It ensures that when an instrument faults, whether from a power cut, a snapped cable, or an internal sensor error, the output automatically moves to a predefined safe state, pushing the associated process away from danger rather than toward it. Without this, a faulty instrument can show a normal reading while the actual level in the tank is anything but.

What can go wrong

Level instrument failures take several forms: high or low level alarm conditions, power failures, signal cable breaks or shorts, sensor and internal faults, signal loss, and loss of instrument air in pneumatic systems. Any one of these, if unhandled, can cause tank overflow, dry running of pumps and agitators, vessel or piping damage, personnel safety incidents, or regulatory non-compliance. Fail-safe design closes that gap.

How it works in level switches

The industry standard approach is the de-energize-to-trip philosophy, using normally closed relay contacts. Two configurations are in common use.

Fail-Safe High treats any failure as a high level condition. The relay stays energized during normal operation. When the level reaches a high setpoint, or when any fault occurs, the relay de-energizes, closing the filling valve or stopping the pump. This is the configuration for overflow prevention.

Fail-Safe Low treats any failure as a low level condition. Again, the relay stays energized during normal operation. When the level drops to a low setpoint, or when a fault occurs, the relay de-energizes, closing drain valves and stopping pumps and agitators. This protects against dry running.

The table below shows what this looks like in practice for a Fail-Safe High application:

Fail-safe output in vibrating fork switches:

	FSL – Fail Safe Low		FSH – Fail Safe High
Level
Relay O/P Contacts
Relay Action	Energised	De-energised	Energised	De-energised
Status	Normal Condition	Alarm/Fail Condition	Normal Condition	Alarm/Fail Condition
Action	Dain Valve  Open	Dain Valve Closes	Filling Valve  Open	Filling Valve Closes

Techtrol's conductivity, capacitance, vibrating fork, and RF admittance level switches all carry integrated fail-safe capability across both FSL and FSH configurations.

How it works in level transmitters

For transmitters, fail-safe is implemented through signal behaviour and diagnostics. In a standard 4 to 20 mA analog system, the normal operating range leaves room at both ends for fault signalling: a Fail-Safe High output drives the signal above 20 mA, and a Fail-Safe Low output drops it below 4 mA. Both conditions are unambiguously outside the normal range, so the receiving system knows to act.

Techtrol's magnetostrictive, ultrasonic, and radar transmitters allow the fail-safe output behaviour to be configured per application: drive output to minimum at 3.6 mA, drive output to maximum at 21 mA, or hold the last valid reading.

The right choice depends on the process. A water tank transmitter set to Fail-Safe Low will stop the pump and open the filling valve if it loses signal, protecting against dry run. A steam line transmitter set to Fail-Safe High will open the safety valve or shut the boiler on fault, preventing overpressure. Hold Last Value works well for applications where brief signal interruptions occur and continuity matters more than a conservative default.

The bottom line

Fail-safe capability in a level instrument is the difference between a fault that the system handles automatically and one that an operator has to catch before it becomes an incident. Specifying fail-safe capable switches and transmitters is a straightforward decision that prevents far more expensive ones downstream.