Voting Logic in Safety

Instrumented System (SIS)

by Editorial Staff

There are 1oo1, 1oo2, 2oo2, 2oo3 etc voting logic in the safety
instrumented system architecture.

The voting logic architecture usually used in the field instrument and

or final control elements to reach certain Safety Integrity Level (SIL)  or
to reach certain cost reduction due to platform shutdown. In general
when we must use 1oo1, 1oo2, 2oo2, or 2oo3 voting logic
architecture?

Voting Logic
As mentioned above, there are two purposes why certain voting
logic architecture were chosen, first is to reach certain SIL and
secondly to reach certain cost reduction due to spurious platform
shutdown.

In order to determine a certain SIL requirement, a risk or process

hazard analysis is used to identify all process, safety and
environmental hazards, estimate their risks, and decide if that risk is
tolerable. Where risk reduction is required an appropriate SIL is
assigned.

The individual components (sensor , logic solver , final elements, etc.)

that are working together to implement the individual safety loops
must comply with the constraints of the required SIL.

In essence, this means that all components within that loop must meet
a certain Probability of Failure on Demand (PFD), Safe Failure Fraction
(SFF) and Hardware Fault Tolerance (HFT) requirement for the
intended SIL.

Readers are encouraged to see further detail regarding this PFDavg,

SFF, and HFT in the IEC 61508 & IEC 61511.

As general rule, first of all the SIL requirement for any particular
condition or application will be determined using a risk or process
analysis.

After the SIL was determined then the architecture of the sensor, logic
solver, and final control element is studied to investigate which
architecture will fulfill the SIL requirement.
For example, if the SIL requirement for a high pressure incoming pipe
line is SIL 3, then the architecture of the pressure sensor and final
element will be investigated.

If 1oo1 sensor, 1oo1 logic solver, and 1oo1 shutdown valve can fulfill
the SIL 3 requirement, then this architecture is chosen. If not, then any
other voting logic architecture is investigated.

Let’s say after several investigations the voting logic 1oo2 sensor,
1oo2 logic solver, and 1oo2 shutdown valve can fulfill the requirement
of SIL 3, then this voting logic is chosen. If the cost reduction study
need to minimize spurious trip due to one of the sensor failed, then
may be the sensor voting logic architecture must be upgraded to
become 2oo3 architecture.

This architecture may be chosen since if one sensor failed, then the
overall architecture is still fulfilling SIL 3 requirement with 1oo2 sensor
configuration. Thus it doesn’t need to have a platform shutdown when
one sensor failed.