Voting Logic
Voting logic is the algorithm a safety instrumented function uses to decide whether a trip condition has actually occurred based on multiple redundant sensor inputs. Common voting schemes are 1oo1, single sensor, 1oo2, either of two, 2oo2, both of two, 2oo3, any two of three, and degraded modes like 1oo2D that re-architect on diagnostic failure. The choice trades fault tolerance against spurious-trip rate.
Read one of your own drawings.
Drop a P&ID, instrument index, or schedule. Tagsight reads it to the tag and opens a workspace you keep when you sign in.
PDF · DWG · DXF · TIFF · PNG · XLSX
Voting logic is the rule a safety function applies to its redundant sensors before it acts. With two or three transmitters watching the same condition, how many must agree that the limit has been crossed before the function trips. It is the single most consequential architectural decision in a safety instrumented function because it sets both failure modes at once. A 1oo2 arrangement trips if either sensor calls the condition, which almost never misses a real demand but trips spuriously when one sensor fails high. A 2oo2 arrangement trips only when both agree, which almost never trips spuriously but is exposed if one sensor fails low. A 2oo3 arrangement, any two of three, improves both numbers at the same time, which is why it dominates SIL 2 and SIL 3 service. The voting is implemented in the certified logic solver, not in custom control code, so that the arrangement is provably deterministic and carries its certification into the SIL verification calculation, where the voting topology, the per-component failure rates, the diagnostic coverage, and the proof-test interval together produce the probability of failure on demand. Degraded-mode voting such as 1oo2D re-architects on a detected sensor fault to keep the safety function available while a failed transmitter is repaired. On the drawing and in the cause-and-effect matrix the voting is named alongside the instruments it governs, and it has to match the safety requirement specification exactly.
Why voting matters for the plant.
A spurious trip is expensive. Lost production, possible damage to equipment from rapid shutdown, restart cost. A missed real trip is potentially catastrophic. Voting logic is the engineering knob that balances those failure modes. 1oo2 minimizes missed-trip probability but maximizes spurious trips. 2oo2 minimizes spurious trips but doubles the missed-trip exposure. 2oo3 is the compromise that gets the most SIS deployment in process industries because it improves both metrics simultaneously.
Voting in the logic solver.
The certified-safe logic solver, Triconex Tricon, HIMA HIQuad, HIMax, ABB AC800M HI, Siemens S7-400 F-Systems, Honeywell SM, Emerson DeltaV SIS provides voting blocks pre-certified for the relevant SIL. The integrator wires the redundant sensor inputs into the voting block and configures the algorithm. The certified logic guarantees the voting is implemented correctly and deterministically. Custom-coded voting in non-certified ladder is not appropriate for SIS use.
Frequently asked.
How does voting interact with SIL calculation.
The PFD, probability-of-failure-on-demand calculation accounts for the voting topology, the failure rates of each sensor and the logic solver, the proof-test interval, and the diagnostic coverage. A 2oo3 architecture with diagnostic coverage of 90% on each sensor and a 1-year proof-test interval has a different PFD than the same architecture with 60% diagnostic coverage and a 5-year interval. The exida and equivalent reliability databases provide the per-component data. The SIL calculator chains them.
Can voting be done in software in the BPCS rather than the SIS.
It can, but it shouldn't be relied on for SIF execution because the BPCS is not certified to the same SIL standard as the SIS. Voting in the BPCS for advisory or alarm purposes is fine. Voting that drives a safety-classified action must run in certified-safe SIS hardware.
What does a spurious trip cost in practice.
Direct costs include production loss during the unplanned shutdown and the startup cycle after re-establishing safe conditions, which can take hours to days depending on unit complexity. Indirect costs include equipment stress from thermal cycling, catalyst or product quality loss in reactors or batch units, and the maintenance investigation required before the unit can be safely restarted. On a large refinery unit a single spurious trip can result in several hundred thousand dollars in lost production and restart costs.