Most used Architectures
In the following table we show the most used architectures when designing Safety Instrumented Functions (SIF).
Logic | Channels | HFT (S) | HFT (A) | Objetives | Used for |
1oo1 | 1 | 0 | 0 | sensor, actuator | |
1oo2 | 2 | 1 | 0 | More Safety | sensor, actuator |
2oo2 | 2 | 0 | 1 | More Availability | sensor, actuator |
2oo3 | 3 | 1 | 1 | Safety+Availability | sensor, PLC |
1oo2D | 2 | 1 | 0 | Safety with high diagnostics | PLC (DMR) |
2oo4D | 4 | 2 | 1/2 | Safety+Availab. with high diagnostics | PLC (QMR) |
2oo3D | 3 | 1/2 | 1/2 | Safety+Availab. with high diagnostics | PLC (TMR) |
HFT(S)= Hardware Fault Tolerant for Safety
HFT(A)= Hardware Fault Tolerant for Availability
Recall that the logic of the sensor and actuator subsystems is programmed in the Logic Solver (Safety PLC). This logic can be simple (1oo1, 1oo2, 2oo3, 2oo2) or much more complex by combining several groups (for example, 2oo2 architecture with 2 1oo2 groups).
What does “MooN” mean?
The SIF has 3 subsystems, each one can have a different architecture. When we talk about a MooN architecture (M out of N) we have:
- N channels (for example: N sensors, or N shut-off valves, or N microprocessors in the PLC, or N transistors in each PLC digital output, etc.)
- There is a channel voting system (N channels), so that M channels must act for the architecture to perform its safety function correctly (for example, if I have 2 sensors with a 1oo2 architecture then it is sufficient to exceed the trip setpoint in 1 channel for the SIF to act on the final element).

What is the “Fault Tolerance” of an architecture?
The Hardware Fault Tolerance (HFT) indicates the
maximum number of channels that can fail to remain protected, even if
there has been a degradation of the architecture.
For example, if one of the 1oo2 channels fails (for example, one of the valves
remains seized and cannot close) then the architecture degrades to 1oo1 because
we still have 1 valve to close in case of Safety Function is demanded by the
SIS.
The following graphic compares several architectures. On the vertical axis we have the PFDavg (average probability of failure on demand) and on the horizontal the value of MTTFS (“Mean Time To Fail Spuriously.” This parameter measures how often it is likely that a SIF safe failure will occur and therefore shutdown the process).
2oo3 architecture is the most used in critical systems where we need both safety and process availability.
