(I refrased all this)
Regarding the "fail-safe".
That a sensor uses N.C. contacts doesnt mean it is fail-safe. One has to take into account what happens if the signal is lost, and chose the version (NO. or N.C., and "above" or "below") that has the least grave consequence and/or the one that can most easily be detected to be in error.
The most fail-safe combination of sensors in the wikipedia example must be:
Low level sensor: Indicates "above low level" with an N.C. contact.
High level sensor: Indicates "below high level" with an N.C. contact.
Argumentation:
Assuming that overfilling will be a worse scenario than the tank goes empty.
If power supply is lost to both sensors, the PLC will see it as simultanously below low level and above high level. This is impossible, so it should generate an alarm, and halt the pump.
If power is lost to the low level sensor, it will start the pump but only until the high level sensor is reached.
If power is lost to the high level sensor, it will stop the pump completely.