Redundant I/O. How 1oo2, 2oo3, and 2oo4 Voting Show Up on the I/O List.
How to represent voted sensor sets and redundant final elements on the SIS I/O list. One row per physical device, suffixed tags, shared SIF identifier.
A controls engineer on a brownfield revamp was issued a P&ID showing three pressure transmitters arranged as a 2oo3 high-pressure trip on vessel V-201. The I/O list that came with the package had one row. PT-101, signal class AI, 2oo3 voting, SIF-101. The channel count on the PLC rack layout was short by two. Construction installed two of the three transmitters before commissioning found the discrepancy. The fix came two weeks into a startup sequence that had no slack.
One row where there should be three is the most common voting-related error on SIS I/O lists, and it is preventable.
What MooN voting means, and why it produces multiple rows
MooN is the notation for voted safety arrangements. M of N sensors must agree before the function trips. 1oo2 means one of two. 2oo3 means two of three. 2oo4 means two of four. The M and N values come from the SIL verification, the calculation that confirms the Safety Instrumented Function achieves the required Probability of Failure on Demand for the assigned SIL target.
The notation is a statement about logic. It says nothing about the physical channel count, because the logic is implemented in the logic solver, not in the I/O wiring. The I/O list records physical reality. How many field devices exist, how many wiring runs leave the marshalling cabinet, and how many I/O channels the logic solver must be provisioned with. For a 2oo3 pressure trip, physical reality is three transmitters.
Each transmitter is a separate bubble on the P&ID. Each bubble is a separate field device with its own installation location, its own impulse line, its own junction box termination, its own SIS cable run, and its own card slot in the logic solver. That is three rows on the I/O list.
The logic solver does the voting. The I/O list records the inputs to that voting. The two must not be confused.
One SIF, three tags, one shared identifier
The standard tagging convention for a voted initiating set uses a shared base tag with alphabetic suffixes. PT-101A, PT-101B, PT-101C for a 2oo3 arrangement. All three share the base loop number, 101 because they are all measuring the same process variable for the same safety function. The suffix distinguishes the physical devices so that a technician pulling a termination drawing knows which run to trace.
On the I/O list, the three rows look like this.
| Tag | Description | Sig. Class | SIF id | Voting arch. | Loop | PLC assignment |
|---|---|---|---|---|---|---|
| PT-101A | V-201 High-Pressure Trip | AI | SIF-101 | 2oo3 | 101 | SIS-1, Rack 1, Slot 2, Ch 1 |
| PT-101B | V-201 High-Pressure Trip | AI | SIF-101 | 2oo3 | 101 | SIS-1, Rack 1, Slot 3, Ch 1 |
| PT-101C | V-201 High-Pressure Trip | AI | SIF-101 | 2oo3 | 101 | SIS-1, Rack 1, Slot 4, Ch 1 |
Three rows, three channel assignments, all on rack SIS-1 but spread across slots 2, 3, and 4. The SIF identifier, SIF-101 is what binds the group together. A reviewer filtering the I/O list on SIF-101 gets all three initiating rows, the logic solver reference, and the final element rows. The complete picture of what SIF-101 includes.
Safety redundancy versus availability redundancy
The two motivations for redundancy pull in opposite directions on the PFD calculation, and understanding the distinction helps explain why different architectures appear in the same facility.
Safety redundancy, adding sensors so the function is less likely to fail to trip on a real demand favours architectures where any single sensor can initiate the trip. A 1oo2 arrangement is more reliable on the safety side than a single 1oo1 sensor, because both sensors would have to fail in the same suppressed direction before the trip fails. The cost is a higher spurious trip rate. If either sensor fails high, the function trips even when the process is safe.
Availability redundancy, adding sensors to reduce spurious trips favours architectures that require agreement between sensors before tripping. A 2oo2 arrangement only trips when both sensors register a high condition simultaneously. A single spurious high reading does nothing. The cost is on the safety side. If one sensor fails in a way that prevents it from registering the demand, the function will not trip on that sensor alone.
A 2oo3 arrangement sits between these poles. With majority voting, two of three must agree, one spurious high reading does not trip the function, reducing the spurious-trip rate relative to 1oo2. At the same time, two sensors must fail simultaneously in the suppressed direction for the function to fail to trip, giving better safety performance than 2oo2. This is why 2oo3 is the standard architecture for SIL 2 and many SIL 3 functions. It achieves reasonable PFD without excessive spurious-trip frequency.
A 2oo4 arrangement takes the same principle further. It is seen in some high-availability, high-integrity applications, particularly on continuously operated processes where an unplanned trip carries a severe process consequence, but the additional hardware cost and complexity mean it is not a default choice.
These trade-offs are analysed in the SIL verification. The I&C engineer working the I/O list records the architecture the SIL verification specifies. The choice of architecture is not made in the spreadsheet. For the standard-side detail, IEC 61511 for I&C engineers covers the relationship between voting architecture and PFD in the context of the safety lifecycle.
The columns a voting group needs
Beyond the standard SIS columns covered in SIL-Rated I/O: What It Means for Your I/O List and BPCS Separation, a voting group needs these columns populated identically across all its rows.
SIF identifier. The same value on every row in the group. This is the key that links initiating elements, the logic solver reference, and final elements. If the SIF identifier is blank on one of the three transmitter rows, a reviewer cannot confirm the group is complete.
Voting architecture. Every row, not just the first. If the column is populated only on PT-101A and left blank on PT-101B and PT-101C, a reviewer who opens the file sorted by a different column will have no way to know what those rows belong to.
Response-time requirement. The maximum time from the onset of the process demand to the protective action. This value is the same for all three transmitters in a 2oo3 group and is the same as the value on the final element rows, because they all serve the same SIF and the same process demand rate.
SIS, BPCS classification. Every SIS row must be marked SIS. When the I/O list is used by the construction contractor to build the rack layout, this column determines which cabinet the wiring goes to.
A reviewer tracing SIF-101 across the I/O list should, after filtering on the SIF identifier, see all three initiating transmitters with consistent voting architecture, the logic solver I/O reference, and the final element rows. If any of those are missing or inconsistent, the I/O list has an incomplete record of the safety function.
Degraded voting
When one of the three transmitters in a 2oo3 group is bypassed for maintenance or has faulted out, the voting logic changes. A 2oo3 arrangement with one sensor out of service becomes effectively 1oo2. Either of the two remaining sensors can initiate the trip. That is a higher spurious-trip risk than the design basis and a lower safety burden than a two-sensor defeat would represent.
This degraded-mode behaviour is defined in the Safety Requirements Specification and implemented in the logic solver. The I/O list records the design-basis architecture, 2oo3 on each row and typically points to the SRS for the degraded-vote definition, either in a remarks column or in the SIF identifier reference.
Some projects add a degraded-vote column labelled "degraded architecture. 1oo2" to make the mode explicit on the face of the I/O list. Others leave it to the SRS cross-reference. The minimum requirement is that the I/O list does not imply the voted arrangement is static. A reviewer who looks at three 2oo3 transmitter rows with no bypass or degraded-mode reference may not know to look for the bypass handling in the logic.
The bypass status of individual sensors in a voting group is managed in the logic solver, not on the I/O list. The I/O list records the design. The runtime state is in the SIS HMI.
Redundant final elements
The same principle applies on the output side of the SIF. A 1oo2 final element arrangement, two block valves in series, either of which is sufficient to isolate the process is two physical valves, two wiring runs, and two digital output channels. Each valve gets its own row.
For SIF-101 on vessel V-201, the final element section might look like this.
| Tag | Description | Sig. Class | SIF id | Voting arch. | Fail position | PLC assignment |
|---|---|---|---|---|---|---|
| SDV-306 | V-201 High-Pressure Isolation, Valve 1 | DO | SIF-101 | 1oo2 | Closed | SIS-1, Rack 2, Slot 2, Ch 1 |
| XV-301 | V-201 High-Pressure Isolation, Valve 2 | DO | SIF-101 | 1oo2 | Closed | SIS-1, Rack 2, Slot 3, Ch 1 |
Two rows, two channels, two fail positions recorded. Both fail closed because the protective action is isolation. Both carry SIF-101. Both land on separate card slots for the same reason as the initiating elements. A single card failure should not defeat the entire final element arrangement.
Position confirmation switches, ZSO, ZSC pairs confirming valve closure are additional DI rows sharing the same SIF identifier, with their own card assignments and their own response-time requirements, confirmation must arrive within the response-time window.
A worked walkthrough. SIF-101 on vessel V-201
Vessel V-201 has a high-pressure trip implemented as SIF-101, with a 2oo3 initiating arrangement on the pressure measurement and a 1oo2 final element arrangement on the isolation valves.
The initiating elements are PT-101A, PT-101B, and PT-101C. Three pressure transmitters, signal class AI, voting 2oo3, SIF-101, loop 101, assigned to separate card slots on rack SIS-1.
The final elements are SDV-306 and XV-301. Two isolation valves, signal class DO, voting 1oo2, SIF-101, fail position closed, assigned to separate card slots on rack SIS-1.
Total rows for SIF-101 on the I/O list. 5, three AI initiating rows plus two DO final element rows. Total I/O channels consumed. 5, three AI plus two DO. The logic solver does not consume a separate channel. The logic solver is the system that reads those 5 channels.
If the project also installs position confirmation switches on both valves, ZSO and ZSC on each valve, that adds four more DI rows to SIF-101, ZSO-501, ZSC-502, and equivalents on XV-301 for a total of 9 rows tracing back to a single safety function. Each is a physical device, a physical wiring run, and a physical I/O channel. Each gets a row.
This is what a correctly built SIS I/O list looks like at the SIF level. A traceable, complete record of every physical input and output the safety function depends on.
What goes wrong
Collapsing the voting group to one row. Writing "PT-101, 2oo3" as a single row is the most frequent error. The channel count is short by two, the PLC rack layout will not include the channels, and the construction contractor will wire one transmitter and consider the job done. The I/O list is the authoritative channel-count document during detailed design. If the voting group is not expanded, the rack is under-provisioned.
Redundant transmitters on the same I/O card. Spreading PT-101A, PT-101B, and PT-101C across three channels on the same card defeats the purpose of the arrangement. A single card failure, power supply fault, backplane fault, firmware exception takes out all three signals simultaneously. The logic solver sees all three inputs disappear and cannot determine whether that represents three independent sensor failures or a single card failure. Common-cause failures at the I/O card level are a recognised SIS vulnerability. The three transmitters in a voted group should land on three different cards, confirmed in the PLC assignment column of the I/O list.
Voting architecture column blank or inconsistent. A reviewer opening the I/O list should be able to look at any single row and know, from that row alone, the voting architecture of the SIF it belongs to. If the column is populated only on the first row of a group, or left blank when the SIS, BPCS column says SIS, the list is incomplete. Auditors check this.
Redundant final elements collapsed to one row. Two block valves written as "SDV-306, XV-301, 1oo2" in a single row understates the output channel count and obscures which valve is which in the wiring schedule. Final element redundancy follows the same rule as initiating element redundancy. One row per physical device.
Suffixed tags not carrying the shared loop number or SIF identifier. PT-101A, PT-101B, and PT-101C with different loop numbers or no SIF identifier cannot be filtered into a coherent group. The linkage between the transmitters and the safety function is lost. A reviewer cannot confirm the voting group is complete without scanning the entire list manually.
Mixing I/O cards from different safety integrity levels. If a SIL 2 SIF shares an I/O card with a SIL 1 SIF, the common-mode failure of the shared card could compromise the SIL 2 function. The IEC 61511 Clause 11 architectural constraints and the hardware fault tolerance requirements govern what can share hardware. The I/O list PLC assignment column is where this is visible, and where a reviewer will check.
Each transmitter in a 2oo3 set is its own row. PT-101A, PT-101B, and PT-101C are three AI rows in the I/O list, each carrying the SIS classification the drawing shows. The row count equals the physical channel count. From there, the I&C engineer adds the SIF identifier, voting architecture, and proof-test interval columns to complete the SIS I/O list.
To see the extraction workflow, start with the I/O list creation guide.