1oo2 Voting Architecture

One-out-of-two voting (1oo2) employs two devices instead of one. In this arrangement of two device only one vote to shutdown from either one of the two devices will cause the shutdown action to occur.

1oo2 Voting

Physically, this is represented by two switches in series. If either the “A” switch opens the circuit (i.e., votes to trip), or the “B” device does a shutdown action is taken.

This arrangement is the “safe” arrangement because for the system to fail dangerously both of the individual switches would have to fail dangerously. This arrangement is tolerance to one dangerous failure because if the “A” switch contacts were welded close, the “B” switch could still open to de-energize the circuit and bring the plant back to a safe state. While this arrangement is tolerant to one dangerous failure it is not tolerant to any safe failures.

Thus, if the “A” switch alone suffers a safe failure (i.e., open circuit) the entire system will fail spuriously. The addition of second device makes whose spurious failure can also cause a system spurious failure means that while 1oo2 voting improves safety, the spurious trip rate is twice as high.

In the table below, you can see the effect of the voting arrangement mathematically. 1oo2 voting has a much lower probability of failure (more than an order of magnitude improvement), but the spurious trip rate doubles.

The doubling of spurious trip rate makes logical sense because you have double the number of components whose failure causes a spurious trip of the system.

Ultimately, 1oo2 voting is used if more safety is required, i.e., the system cannot achieve its SIL target, but the increase in spurious failure rate is tolerable.

