Voting Logic In Safety Instrumented System

28th  April, 2025.

In this post, we will see the voting logic in safety instrumented system.

In instrumentation, safety logic is a very important criteria which needs to be considered by engineers. Without proper safety functionalities, you cannot operate a system. And if it is very critical, then safety logic is a must. In such instrumented systems, one such function which is adopted widely in industries for achieving this task is voting logic. It is a type of redundancy system which is used with sensors, for attaining safety logic for critical and non-critical operations. This ensures a very reliable and efficient system function. In this post, we will see the voting logic in the safety instrumented system (SIS).

What is the voting arrangement in SIS?

Imagine a simple system where you have a pressure transmitter connected on the discharge line of a large pump. It is used to monitor outlet pressure, and if it is high, then that means the pump is drawing water at a much larger force, which can damage the pipeline and systems further off the pump. In that case, the pump will be stopped. But what if the sensor fails? Then there is no means to control the pump. For this scenario, it is required to have a redundant sensor for such applications. This gives rise to voting logic.

As the name suggests, voting arrangement is a combination of sensors, which takes the votes of the number of maximum sensors into consideration. So, instead of one sensor, we can have two sensors on the discharge line. In that, we can check both the sensors for high pressure. If any one sensor votes or gives a signal for high pressure, then the pump will trip. So even if one sensor fails, this configuration will work. Voting arrangement is denoted by - MooN, where M stands for the maximum number of votes to cause an action and N stands for total number of votes. Various types of voting logic are used, like 1oo2, 1oo3, 2oo3, 2oo4, 3oo4 etc.

Failure modes of SIS equipment:

Before we go ahead in our voting logic discussion, first we will see this important concept related to failure modes. There are two types of failures which are related to sensors or instruments in SIS - safe and dangerous. Suppose you have voting logic of 1oo2. If the sensor gives false data without the pressure being high, then too the pump would trip. But as the pressure was normal, this tripping was safe and would not hamper the system much, just only resulting in unwanted shutdown. This is called safe failure, where the sensors were not required to respond, but it still responded. Now, if both the sensors had failed, and the pressure went high, the pump would not trip as pressure is not being able to read. This will result in a hazardous situation for the plant. That is called dangerous failure, where the sensors were required to respond, but they did not respond.

Now that we are clear with this concept, let us think one thing. Imagine a dangerous failure situation where both your sensors have failed. Then there is no use having such expensive voting logic. So, engineers bring more hard redundancy in the system by configurations like 1oo3, 2oo4 etc. Here, you have two sensors on standby. Suppose we take the example of 2oo4. Two voters are required to avoid a scenario where if any one sensor gives a signal which is irrelevant, then at least a true voter from the second voter will be required to make a correct combination and then only pass the action (means consent of two sensors are required to take an action). Now, if both the sensors fail, even then you have standby two sensors to take the decision. This setup is costly, but reduces chances of voting logic failing to a much better rate. Also nowadays, sensors have troubleshooting features inside themselves only, where it regularly checks for any issue and alerts the user.

Now, we will discuss a more practical way of implementing real time voting logic with the PLC system. Suppose you have a configuration of 2oo3; then that means a total of 3 sensors are used. So, you will require three inputs in PLC, where they will be wired. Now, the logic of voting probability will have to be written inside the logic, where you will compare either this or that, and generate an output. Also, you have to consider the dangerous failures, where you have to safely shutdown the whole system through PLC in that case. Be it normal PLC or a safety PLC, logic must be written for voting.  A normal PLC will require much more rungs and logic to be written, as compared to a safety PLC, where you have readymade configurations and blocks for supporting the logic and thus minimizing the coding part.

Do not try to connect all the multiple sensors in one single PLC point; it will not work at all. Current will be distributed or disturbed, or voltage drop will occur, which is technically foolish for a PLC to read such incorrect values and then take an action. Yes, some very smart sensors have an in-built assembly, where it will perform voting logic inside only and just generate a single output to the PLC. But then too, it is logically correct as only a single input is connected to the PLC, and not multiple inputs. So, before concluding and implementing this engineering, it is necessary to identify your SIL (safety integrity level) level, type of criticality, cost and complexity of the system.

I have covered the voting logic in safety instrumented system or SIS. I have also not attempted to cover all the topics related to it, as it can vary from case to case. Once you are familiar with this type of technology, you can easily troubleshoot any issues related to it.

Thank you for reading the post. I hope you liked it and will find a new way in this type of technology.