Voting and Default Degradation
Voting elements are usually accomplished by taking the sensor signals and comparing them in the CPU executing the application logic. The actuator signals are then directed to the outputs where the signal for the actuator is either electrically or logically solved, or both.
For simple dual voted configurations, two votes are available. The logic can be voted either 1oo2D (one-out-of-two, with diagnostics) or 2oo2 (two-out-of-two) from the state of the signals. In this dual voted configuration the 2 PLCs are connected in parallel. See the Figure. The entire logic solver stage from input to output is duplicated.
For a system using a control voting logic of 1oo2D, the convention used will be that only one of the two votes need be present to shutdown. If one unit fails its diagnostic contact will open the output channel and remove that unit from service. The SIS function then continues to be performed by the remaining channel. Thus, a system that lost the ability to receive one of the two signals, or process it, would be able to continue to operate with the other signal. The ability to "degrade" to a simplex operation is built into "purpose specific" certified systems. The system thus reverted to 1oo1D when a module fault is detected.
The availability of this system would be high, since a nuisance shutdown would not occur on the loss of a failed component. Also, upon closer examination of the system reliability, an errant signal received could result in an unsafe or uncontrolled state. The diagnostics and the degradation capability eliminate this undesirable possibility for the critical processes requiring reliable control.
1oo2 voting requires additional field taps, PLC or DCS input boards, system loading, and higher cable costs. The two transmitters should be wired into separate input boards in architecture.
Voting a dual system 2oo2, where both signals are required to be present for operation, will increase reliability (where the safe state is off or non-operational). This is desirable for the safe operation of critical processes and machines. However, system availability which might otherwise be compromised because of the potential for a single loss of a component causing the system to shut down, are prevented with fault degradation capability.
2oo2 is not considered fail-safe because there are many conditions when one transmitter may be out of service and unable to trip. Therefore, even if the other transmitter votes a trip, a trip cannot occur. This architecture is not normally used in process or personal safety protective systems; it is most often used in rotating equipment (e.g. vibration probes for shaft shutdowns) where space limitations make it difficult to install three sensors.
If the 2 units are operated in series as shown in the Figure the system availability will be low but its reliability will be very high. In this configuration either of the channels can trip the plant without depending on the diagnostic sections. The plant is tripped when either module is faulty. This configuration is not popular except for unusually high safety integrity requirements.
Missing Figure
To achieve highest level of reliability and maintain the desirable availability, the triplicated modular redundancy (TMR) is employed. Click here for more information.