Two-out-of-two voting (2oo2) also employs two devices.

In this arrangement, of the two devices, both devices must “agree” to cause a shutdown before the shutdown will occur. I.e., both devices must vote to trip to cause a trip action.

2oo2 Voting

This is physically represented by two switches in parallel. De-energizing either the “A” switch or the “B” switch alone will not cause the entire circuit to de-energize. Only when both switches open is the circuit de-energized and the plant moved to a safe state.

This arrangement does not have any tolerance to dangerous failures. A failure of the “A” device in the welded closed mode by itself will result in a dangerous failure of the overall system, and the same is true for the “B” device.

While this arrangement does not have any tolerance to dangerous failures, it does have one degree of tolerance to safe failures. If the “A” device were to spuriously fail in the safe open-circuit mode, power will still be conducted through the “B” switch, preventing a spurious shutdown. The same is true for a spurious failure of the “B” switch.

As a result of being tolerance to one safe failure but no dangerous failures, this voting arrangement is commonly used to improve resistance to spurious failures at the cost of decreasing safety performance below what it would be if only a single device were used.

As you can see in the table below, use of 2oo2 voting provides for a drastically reduced spurious trip rate, but that improvement in resistance to spurious trips comes with the cost of decreased safety.

Specifically, the probability of failure on demand of a 2oo2 voting arrangement is twice as high as for a single device. As a result, this voting arrangement can only be used to reduce spurious trip rates for systems with low SIL requirements e.g., SIL 1.