Voting, regarding overspeed protection systems, can be defined by the number of safety loops that should switch to the safe state when an overspeed situation is detected. The desirable voting structure depends on the application. For highly critical machinery a 2oo3 voting structure is widely adopted and required by the API standard 670, but for less critical machinery a 1oo1 voting structure may suffice. The reasoning behind this is the increased availability and safety that more complex voting structures provide.
The meaning of different voting structures is often misunderstood. This is due to the fact that the impact of a voting structure differs depending on the way you look at it.
What is considered a failure?
A failure occurs when the safety unit does not go to the safe state when it should or when it goes to the safe state when it should not.
Two perspectives
Two different situations should be considered; the situation from a safety perspective and the situation from an availability perspective.
- The safety perspective focuses on whether a machine remains protected when one or multiple safety units in the voting structure fail.
- The availability perspectives focuses on whether a machine remains available if one or multiple safety units in the voting structure fail.
How to determine the voting structure?
- From a safety perspective: How many safety devices must remain functional for the machine to remain safe?
- From an availability perspective: How many safety devices must remain functional for the machine to remain available?
Table 1. Various (relay) voting structures explained based on a safety perspective versus an availability perspective.
Note: The figures in the table may cause confusion as the relays are depicted open, while they are energised closed during normal operation. However, this is how schematics of relays are generally shown as this provides a better overview.
The table shows that the voting structure differs depending on whether you look at it from a safety or availability perspective. Taking the second figure as an example it would be a 1oo2 voting structure from a safety perspective; only one of the safety units has to function for the machine to remain safe. However, from an availability perspective: (2oo2 voting structure) if one unit fails the machine will not be available as both devices need to function properly.
