In multiple redundant safety systems, multiple safety units are each capable of assuming control of a plant or complex in an active/master state while the redundant units not in control are in a passive/slave state. If failure of an active/master unit is detected, the failed unit is removed from control while a redundant unit assumes control.
Fundamental to keeping a plant or complex safe if a redundant safety computer assumes control is ensuring that any failed unit does not interfere or attempt to assume control of the plant or complex before it can be repaired. Although a failed unit is disconnected prior to repair, subsequent failures could occur that could be dormant and thus undetectable; these failures can affect the safety of the plant or complex.