1oo2 and 2oo2

dear,

i was looking at the internet for the meaning of 1oo2 and 2oo2,
"1oo2 safety system can handle 1 dangerous failure and 0 safe failure and a 2oo2 safety system can handle 0 dangerous failure and 1 safe failure."

i could understand that 1oo2 is a redundant system able to handle a dangerous failure (is it like physical failure? like one of the plc in a redundant plc system connected to redundant RIO's fails?)
if this happpens, i.e. a dangerous faiure occurs will 1oo2 becomes 2oo2 (if it is configured to do so?) and this will be called a safe failure? and what does safe failure means? is it when the system return to its safe state?

thanks!

charbel

please explain you question / situation a little more in detail.

regards,
james

For those who are unfamiliar 1oo2 is one out of two and 2oo2 is two out of two.

Both are redundant systems.

In a 1oo2 system, any one of the two controllers need to operate to maintain a safe system. In a typical machine environment you can think of it as either controller can turn the machine off.

In a 2oo2 system, both controllers need to operate to maintain a safe system, however, the redundant design allows it to continue to operate in the event of a single failure. This is often used in the process sector where simply shutting down the process is not an option.

"Failure" in this case is any fault, electronic or mechanical, that causes the equipment to not operate as designed. Anything from loss of power to a piece falling off the equipment is a failure.

A "dangerous failure" means a fault in the system that results in a hazardous situation. A example might include the failure of a light curtain safeguarding access to a dangerous location. A 1oo2 system would detect the failure of the light curtain and stop the machine.

A "safe failure" means a fault in the system that does not result in a hazardous situation. A example might include an MCR that fails to energize. Your machine won't work, but there is not an increase in risk to those around the machine. A 2oo2 system would have a redundant MCR that could start the machine if the first one failed.

Also realize that the same component can have both "safe" and "dangerous" failure modes. Using the example of the MCR, if the contacts welded closed, that would be a dangerous failure, because the control system could not turn off the machine. Think of 1oo2 as two MCRs wired in series, either turning off would make the system safe. 2oo2 would be two MCRs wired in parallel, either turning on would make the system work. It is an oversimplification but you can see the basic differences by visualizing it this way.

1oo2 increases safety. 2oo2 increases reliability. If you need both you need 2oo3 (two out of three).