Continue to Site

Eng-Tips is the largest engineering community on the Internet

Intelligent Work Forums for Engineering Professionals

Register Log in
  • Congratulations GregLocock on being selected by the Eng-Tips community for having the most helpful posts in the forums last week. Way to Go!

Voting 2oo2

Status
Not open for further replies.
Indy

Indy

Industrial
Dec 14, 2012
172
Hi,
We have 2 sensors and we are planning on wiring them so that both have to reach there setpoint before a controller action takes place.

I have been reading that the reliability will be improved because spurious tripping will be reduced but on the other hand the failure rate has now doubled as if one sensor fails the controller action won’t take place.

What is the general consensus on using 2oo2 voting on machinery, is this something that is normally done ?

Thanks
 
Replies continue below

Recommended for you

Sort by date Sort by votes
Let's say failure rate of a single sensor is 0.01

When using 1oo2 logic, failure rate is effectively doubled because failure of ANY of the sensors will cause spurious trip. You have two sensors with failure rate 0.01 hence the system failure rate is 2x 0.1 = 0.02
When using 2oo2 logic, you need both sensors to fail simultaneously, i.e. 0.01 x 0.01 = 0.0001 hence the system failure rate is effectively reduced 100 times.

Dejan IVANOVIC
Process Engineer, MSChE
 
Upvote 0 Downvote
Hi,
Thanks for this. I just have a question. If the sensors are “ANDED” together and one fails to read the desired setpoint then would this not prevent the other sensor from working correctly as would this not feed into the second sensor ?

Thanks
 
Upvote 0 Downvote
Your OP is necessarily not true; if one of the controllers actually fails, you could be no worse off than if you only had a single controller, which you still would have. That's predicated on whether the downstream client can detect or be informed of the failure, in which case, it could revert to a single controller operational mode. Presumably, you have some indication that a controller actually failed, otherwise, you'd be running the process with a failed controller, which ought be possible.

IF (NOT (Fail_A OR Fail_B)), then Trip = Trip_A AND Trip_B
IF (Fail_A OR Fail_B), then Trip = ((Trip_A AND (NOT Fail_A)) OR (Trip_B AND (NOT Fail_B)))

Now, your actual hardware failure rate is doubled, but that's a cost/maintenance time issue.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! faq731-376 forum1529 Entire Forum list
 
Upvote 0 Downvote
Voting arrangement might be susceptible to common cause failure modes - examples would be instrument sensing line blockage (if both sensors are connected to the source vessel via single sensing line), and in such case indeed both instruments would fail simultaneously and you will not have any increased reliability due to voting/redundancy. So to answer your question, you need to look at your system and confirm if there is any scenario during which both sensors would fail simultaneously from a common cause. If there is, reliability is reduced for the fraction (X%) of all failures (100%) that occur due to common cause failures. If there isn't any common cause failure scenario, the voting arrangement would effectively reduce failure rate 100 times compared to single sensor case.

Dejan IVANOVIC
Process Engineer, MSChE
 
Upvote 0 Downvote
Thanks for the replies. The problem is we have two sensors placed at opposite sides of a room. These will detect water leakage. If the first one detects leakage then an alarm will be generated and operators should then pull a plug to allow the water to drain away. However if they do not and the water continues to rise and activates the second sensor then this should trip the pumps in the room.

Both sensors will be taken back to relays in a panel and the second sensor will only be initiated if the first has detected water, so if there is a fault in the first then the second sensor would never be initiated to look for water and the pumps would never trip.

Thanks
 
Upvote 0 Downvote
OK, so why can't the second one always be looking for a leak all the time?

If S2 = Trip, AND S1 <> Trip, Pull Plug (anyway) Check S1 and room

Seems to me that you are actually trying to prevent inaction on the operator's part, so why is there even a human in the loop? All the testing and actual usage on autonomous cars and other systems show that the human is the weakest link and least able to sustain alertness for more than about 10 to 15 minutes. If the plug is automated, then you can apply normal reliability and redundancy calculations to crank up the probability of missed leaks to as much as you want. If the human is in the loop, then even a 99.99999% consistent trip can still be missed by a texting operator.


TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! faq731-376 forum1529 Entire Forum list
 
Upvote 0 Downvote
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top Bottom