From Safety Instrumented Systems Verification: Practical Probabilistic Calculations

1oo2 Architecture

Two controllers can be wired to minimize the effect of dangerous failures. For de-energize-to-trip systems, a series connection of two output circuits requires that both controllers fail in a dangerous manner for the system to fail dangerously. The 1oo2 configuration typically utilizes two independent main processors with their own independent I/O (see Figure F-6). The system offers low probability of failure on demand, but it increases the probability of a fail-safe failure. The "false trip" rate is increased in order to improve the ability of the system to shut down the process.


Figure F-6: 1oo2 Architecture

PFD Fault Tree for 1oo2

Figure F-7 shows the PFD Fault Tree for the 1oo2 architecture. The system can fail dangerously if both units fail dangerously due to a common cause failure, detected or undetected. Other than common cause, it can fail dangerously only if both A and B fail dangerously.


Figure F-7: PFD Fault Tree for 1oo2 Architecture

A first order approximation for PFD can be derived from the fault tree. The equation for PFD is:


The approximation equation for PFDavg derived from the fault tree is:


When imperfect proof test is considered, the equation becomes:



A comparison of Equation F-7 with Equation F-8 shows that any term from F-7 that contains a TI has a proof test coverage multiplier and that a duplicate term is added with (1 - C PT) and LT substituted in Equation F-8.

PFS Fault Tree for 1oo2

Figure F-8 shows the PFS fault tree...

Copyright ISA—Instrumentation, Systems, and Automation Society 2005 under license agreement with Books24x7

Products & Services
Condition Monitors and Fault Detectors
Condition monitors and fault detectors find faults in mechanical, electrical, optical or other systems before a system failure condition occurs. An example of a fault in an electrical system is an arching circuit breaker. An example of a fault in a mechanical system is a failed roller bearing. Both mechanical and electrical faults produce characteristic sounds, which can be detected using air or structure borne acoustic detection techniques.
Data Recovery Services
Data recovery services enable the retrieval of inaccessible or contaminated data from a secondary storage media that has been damaged.
Safety Relays
Safety relays and control modules differ from conventional relays in that they have force-guided or positive-driven contacts.
Reliability Software
Reliability software enables organizations to improve product safety and reliability by measuring performance against industry-wide standards.

Topics of Interest

2oo2 Architecture Another dual controller configuration was developed for the situation in which it is undesirable to fail with outputs de-energized. This system is used in energize-to-trip...

1oo2D Architecture The 1oo2D architecture is similar to the 2oo2D architecture except that additional control lines are added to allow one unit to de-energize the other unit. A 1oo2D architecture is...

2oo2D Architecture The 2oo2D is a four channel architecture that consists of two 1oo1D controllers arranged in a 2oo2 style (Figure F-26). Since the 1oo1D protects against dangerous failures when...

2oo3 Architecture An architecture designed to tolerate both "safe" and "dangerous" failures is the 2oo3 (two units out of three are required for the system to operate). This architecture provides...

1oo1D Architecture Figure F-15 shows an architecture that uses a single controller channel with diagnostic capability and a second diagnostic channel wired in series to utilize the diagnostic signal...