I had a heated debate with a colleague on 1oo2D & 2oo3 TMR (Triple Modular Redundancy) safety system topology.
For those who are not familiar with TMR, it is basically an architecture that triplicates its components and votes the output to minimize the probability of failure to function on demand while at the same time ensuring the integrity of the decision made by the architecture. It is also fault tolerant (with strategic redundancy) such that it will continue to operate even with presence of a few or several faults in the system. So the overall system is both reliable and available to certain extent. 1oo2D is similiar, except that it does voting by 1 out of 2 independent channels, with heavy self-test or diagnostics.
This colleague of mine was highly ingrained into TMR architecture. I went, “What’s wrong with 1 out of 2 D? Redundancy doesn’t necessarily translated to safety?” In the end, we were in agreement of this – in a low maintenance environment – go with the most redundancy.
Topology doesn’t matter actually. If test intervals are not met and input/output instruments are single non-safety-reliability grade devices, the overall system is not fully certified to provide the safety integrated function that you require for your plant.