TABLE OF CONTENTS An architecture designed to tolerate both "safe" and "dangerous" failures is the 2oo3 (two units out of three are required for the system to operate). This architecture provides both safety and high availability with three controller units.
Two outputs from each controller unit are required for each output channel. The two outputs from the three controllers are wired in a "voting" circuit, which determines the actual output (Figure F-20). The output will equal the "majority." When two sets of outputs conduct, the load is energized. When two sets of outputs are off, the load is de-energized.
A closer examination of the voting circuit shows that it will tolerate a failure of either failure mode - dangerous (short circuit) or safe (open circuit). Figure F-21 shows that when one unit fails open circuit, the system effectively degrades to a 1oo2 configuration. If one unit fails short circuit the system effectively degrades to a 2oo2 configuration. In both cases, the system remains in successful operation.
The 2oo3 architecture will fail dangerously only if two units fail dangerously (Figure F-22). There are three ways in which this can happen, the AB leg can fail short circuit, the AC leg can fail short circuit and the BC leg can fail short circuit. These are shown in the top level events of the PFD fault tree...
