1oo2 / 2oo3 Voting Architecture
Voting architecture (MooN notation) describes how a safety instrumented function (SIF) determines whether to actuate based on multiple sensor or final-element channels. 1oo2 (one out of two) means one of two channels voting for actuation is sufficient; 2oo2 means both channels must vote for actuation; 2oo3 means two of three channels must vote (used to balance the need to detect a real demand against the risk of spurious trips). Voting architecture is one of the primary design choices in IEC 61511 SIL verification: it affects both the achieved SIL (through PFDavg) and the spurious-trip rate.
How does voting architecture affect PFDavg?.
1oo1: PFDavg ≈ lambda_du × T / 2. Single point of failure. 1oo2: PFDavg ≈ (lambda_du × T)^2 / 3 + β × lambda_du × T / 2. Both channels must fail; the common-cause term (β term) dominates the long-term PFDavg. 2oo2: PFDavg ≈ 2 × (lambda_du × T) / 2 = lambda_du × T. Worse than 1oo1 for dangerous failures (either channel failing disables the SIF). 2oo3: PFDavg ≈ (lambda_du × T)^2 × 3 + β × lambda_du × T / 2. Same dangerous-failure performance as 1oo2 but improved spurious-trip resistance (single channel failure does not spuriously trip).
How does voting architecture affect spurious trip rate?.
1oo1: STR ≈ lambda_su (single-channel spurious failure rate). 1oo2: STR ≈ 2 × lambda_su (either channel failing trips). 2oo2: STR ≈ (lambda_su × T)^2 (both channels must spuriously fail). 2oo3: STR ≈ 3 × (lambda_su × T)^2 (two of three channels must spuriously fail). The 2oo3 architecture combines the spurious-trip resistance of 2oo2 with the dangerous-failure performance of 1oo2; this is why 2oo3 dominates SIL 3 SIF designs.
What about voting on final elements?.
Voting also applies to final elements (the actuators that respond to the SIF logic-solver output). A 1oo2 final-element voting means either of two valves closing is sufficient to achieve the safety action; both valves are arranged in series. A 2oo3 final-element voting requires two of three valves to close; three valves arranged in series with logic that demands two-of-three closure. Final-element voting is less common than sensor voting because of the cost and complexity of redundant final elements; it is typically applied on SIL 3 SIFs where the final element is the dominant PFDavg contributor.
Frequently asked.
What is the difference between 1oo2 and 1oo2D?
1oo2D adds diagnostic coverage to the 1oo2 architecture: each channel performs continuous self-diagnostics that detect a fraction of failures (typically 60-90%) and trigger automatic restoration. The 'D' (diagnostics) reduces PFDavg by detecting and restoring dangerous failures before the proof-test interval. SIL-certified smart transmitters and logic solvers often implement 1oo2D internally.
Can different channels use different technology in a 2oo3 architecture?
Yes, and this is often the design choice. A 2oo3 architecture using three identical sensors is vulnerable to common-cause failures (a manufacturing defect, a calibration error, a corrosion mechanism that affects all three). A 2oo3 architecture using diverse technologies (e.g., differential pressure, radar, and tuning fork for level) has lower common-cause beta factor (typically 2% instead of 5-10% for identical channels). Diverse voting is the gold standard for SIL 3 sensor voting.
What is the common-cause beta factor?
The common-cause beta factor is the fraction of failures that affect multiple channels of a voted architecture simultaneously. A β of 10% means 10% of the failure modes affect all channels; only the remaining 90% benefit from voting. The β value depends on diversity (same-vendor same-model identical channels: 5-10%; same-vendor different-model channels: 3-5%; different-vendor different-technology channels: 1-3%).
When is 1oo1 acceptable for a SIL 2 SIF?
1oo1 architecture can achieve SIL 2 PFDavg if the single-channel failure rate is sufficiently low and the proof-test interval is sufficiently short. SIL-certified smart transmitters with high diagnostic coverage can sustain SIL 2 in 1oo1 architecture. SIL 3 in 1oo1 is rarely achievable; SIL 4 in 1oo1 is essentially impossible. Higher SIL targets drive redundant voting architectures.