To provide safety in the event of system failures, safety devices often are designed to actuate when an input that is energized during normal system operation becomes de-energized for a period of time. Some systems with such safety devices also include redundant controllers, each capable of operating in an active/master state for system control or in a passive/slave state, available to take control in the event that an active/master controller is no longer required for, or capable of, system control.
Switching control from a first controller to a second, redundant controller becomes problematic when the switchover takes longer than the safety device de-energization period, in which case the safety device unnecessarily actuates when not actually needed. In some systems, such as train control systems, a safety device may be an emergency braking system, and unneeded actuation of an emergency brake could slow the train unnecessarily and increase risk to passengers and crew as the emergency brake is applied.
While delays could be added to a safety device to allow controlled switchover before safety apparatus actuation, such delays introduce additional risks that would need to be accommodated, potentially increasing system complexity, reducing train headway, and increasing cost.