The 11th International Fluid Power Conference, 11.
IFK, March 19-21, 2018, Aachen, Germany The 11th International Fluid Power Conference, 11. IFK, March 19-21, 2018, Aachen, Germany
2oo3plus – A New Design of Electro-hydraulic
Safety Controls for Critical Applications
Kristof Schlemmer**, Jörg Ebersohl* and Edgar Weishaupt*
* HYDAC Systems & Services GmbH, Sonnenallee 1, D-66287 Quierschied-Göttelborn, Germany
** formerly: as above (*); now: Moog Luxembourg S.à r.l.
E-Mail: joerg.ebersohl@hydac.com
This paper presents an alternative design approach of electrohydraulic safety manifolds for use in quick-closing
actuators. Setting off from the common 2oo3 voting architecture, a separation of flow paths produces a new
solution employing six solenoid-operated 2/2-way poppet valves with electrical coupling. The technical
discussion exhibits various advantages, such as improved reliability, both from a systematic and from a
probabilistic point of view. It is shown that the new 2oo3plus system beats common other structures with regard
to the safety metrics according to IEC 61508.
Keywords: IEC 61508, SIL, 2-out-of-3 voting, Functional Safety, valve actuator, turbine trip
Target audience: Functional Safety, Process Technology, Reliability & Robustness
1 Introduction
Process plants e.g. in the water/steam circuit of thermal power plants need to be operated safely, as they pose an
increased hazard risk for humans and the environment and can cause damage in the event of a fault. The field of
Functional Safety deals with the assessment, reduction and control of such risks with the aim of achieving a
tolerable risk level. For process industry applications in low demand mode, appropriate approaches and methods
are set down in IEC 61508 /1/ and IEC 61511, including the Safety Integrity Level (SIL) as a measure of risk
reduction and possible architectures of system redundancy.
Figure 1: Valve operation set-up with spring-loaded electro-hydraulic valve actuator (fail-safe close)
In power generation processes, risk is mainly caused by high energies being handled (e.g. potentially producing
turbine overspeed), whereas in process industry, it can also be caused by the chemical aggressiveness of fluids
conveyed. When corresponding protective measures are developed, a prime focus is on the fluid control valves
and how they are utilised in the execution of safety functions. Common safety functions include the fast shut-off
of supply lines or opening of bypass or relief lines, using electro-hydraulic actuators as shown in Figure 1.
Actuator systems of this type act on the stem of a process seat valve and are equipped with a fail-safe energy
storage element, such as a stack of disc springs or a hydraulic accumulator. The system hydraulically operates by
means of a directional valve against the spring when the trip valve is closed. In the event of an emergency, the
safety function (‘trip’) is executed by opening the trip valve and thus releasing the spring, which brings the
system into safe state (cylinder extended, process valve closed). The trip is initiated by discharging port X to the
reservoir – governed by the voting logic implemented in the safety manifold.
Figure 2: Example of common hydraulic 2oo3 voting using three 4/2-way spool valves /2/
Figure 3: Corresponding schematic diagram
The most common voting architectures are considered in /1/, where M-out-of-N, or MooN, means that of a total
of N elements, at least M are required to function in order to perform the safety function. The 2oo3 voting
architecture common in many SIL-3 systems connects three equal elements such that any two of them can
together initiate the safety action, which means that one single failure is tolerated (Hardware Fault Tolerance
HFT = 1). The hydraulic implementation commonly involves three hydraulic channels and three 4/2-way spool
valves A..C (see Figure 2, Figure 3, and e.g. /2/, /3/). These are arranged in such a fashion that each hydraulic
flow path used to depressurise the connected actuator will sequentially pass through two different valves. At the
same time, each channel uses only one of the two internal flow paths (P→A or B→T) opened by the valve spool,
so each valve synchronously controls two separate hydraulic connections. Six controlled openings are therefore
GROUP 16 - 3
required to realise the 2oo3 function, mechanically coupled, however, in pairs via the valve spools. The control
elements (openings) in one hydraulic channel are not independent. Hence, the failure of one valve results in the
failure of two hydraulic channels, leaving a 2oo2 voting architecture.
449
 The 11th International Fluid Power Conference, 11. IFK, March 19-21, 2018, Aachen, Germany The 11th International Fluid Power Conference, 11. IFK, March 19-21, 2018, Aachen, Germany

2 Enhanced Concept with an Alternative Voting Architecture – 2oo3plus
2.1 Separation of Flow Paths
The new HYDAC EHC-S 2oo3plus safety control now aims to eliminate the mechanical coupling of the control
openings and to replace it with an electrical coupling of six individual valves, distributed in pairs across the three
hydraulic channels (see Figure 5 and Figure 5). This innovative layout increases the hardware fault tolerance to
at least HFT = 2, as only two out of six valves are needed in the best case, and four in the worst case. A single
valve failure results in the failure of only one hydraulic channel. As the six valves are electrically controlled in
pairs (e.g. A1/A2) such that the valves actuated by a single electrical signal are located in different hydraulic
channels, the system behaves like a 2oo3 voting logic towards the supervisory process controller.
• Wide ambient temperature range (-20..60 °C, with special measures up to 80 °C); suitable for
demanding applications such as power plants or process plants.
• Robust against oil contamination, moderate cleanliness requirements (20/18/15 acc. to ISO 4406).
• No requirements on installation position/orientation.
2.2 Diagnostic Valve Test
Cyclical diagnostic testing of the channels is a prerequisite of redundant architectures and helps to guarantee
safety integrity. The 2oo3plus safety control makes it possible to reliably check that a valve is functioning
correctly in a live system by either position monitoring or pressure monitoring.

2.2.1 Position monitoring

All six valves are equipped with an inductive position switch to detect whether the valves are in open or closed
state.

2.2.2 Pressure monitoring

Figure 4: Concept of 2oo3plus voting using six 2/2-way poppet valves. Coloured lines depict control links.
Each of the three hydraulic channels is equipped with an electronic pressure switch located in the intermediate
section between the two poppet valves, see Figure 6. The pressure switches feature two threshold set-points and
digital outputs, in combination defining three pressure bands (high/neutral/low). Each valve is bypassed by an
orifice (not shown) establishing a restricted connection between the pressure switch and high pressure pX in X or
tank pressure pT in T, respectively. The orifices are dimensioned to produce equal pressure drops, hence creating
an intermediate pressure pM of approximately half the system pressure in standby state. A seated test activation
valve on the high-pressure side can be used to isolate the diagnostic test set-up and ensure zero leakage during
normal operation. Alternatively, if leakage is not an issue, this valve can be omitted, and a permanent simple
online monitoring of the main valves is possible. Information about the states of the valves can then be derived
from the pressure ratios measured in the hydraulic channels when a logical valve pair is de-energised.

Figure 5: Corresponding schematic diagram

The 2oo3plus system employs six 2/2-way poppet valves which are solenoid operated and internally piloted.
These components are well-tried in large numbers and highly reliable due to their design. Field experience and
scientific investigations (e.g. /4/) have shown that this type of valve is less susceptible to oil contamination,
silting, hydraulic lock and varnishing effects than spool valves. Particularly with regard to blocking in closed
state (non-opening), they can be considered superior for use in this application.

Further advantages include (/5/):

• Fast switching times support rapid actuator discharging.

• Poppet design effectively prevents leakage during normal operation; suitable for accumulator-based
applications.

• Increased range of flow rates combined with solenoid operation; may eliminate the need for piloted
slip-in cartridge valves in some cases.

• Compact and light-weight manifold design; allows flange-mounting on the actuator.

GROUP 16 - 3
• Reduced component costs due to large-batch standard valves.

• Minimised internal cavity volume prevents pressure collapse; suitable for large operating pressure range
from as low as 6 bar up to 250 bar.
Figure 6: Testing set-up of the 2oo3plus system (simplified).

451
 The 11th International Fluid Power Conference, 11. IFK, March 19-21, 2018, Aachen, Germany The 11th International Fluid Power Conference, 11. IFK, March 19-21, 2018, Aachen, Germany

2.2.3 Testing Procedure

With either of the two monitoring methods, the following procedure is carried out. It is identical with the one
applied in standard 2oo3 systems.

1. If applicable, enable testing set-up by opening test activation valve T.

2. Check standby state (all channels energised), see Figure 7 on the left.

3. De-energise one single logical channel (e.g. valve pair A1/A2) and check corresponding valve states,
see Figure 7 centre and right.

4. Re-energise that channel and check standby state again.

5. Repeat steps 3 and 4 with the other two channels.

6. If applicable, disable test set-up by closing test activation valve T.

If at any point a check returns a negative result, the procedure is to be interrupted until the fault has been
Figure 8: The 2oo3plus Interface Box adapts the manifold to standard 2oo3 controllers.
localised and removed, in order to circumvent the risk of a spurious trip.
Legend: SV – solenoid valve, FB – feedback, PS – pressure switch

2.3 Partial-stroke Test

Besides the diagnostic valve test, a partial stroke test of a connected actuator can be realised by means of an
additional flange-mounted module (see Chapter 3.1). This is particularly useful in actuators that permanently
maintain one constant position over long periods of operation (‘dormant mode’). The integrity of the entire
safety chain can thus be checked by means of a controlled partial release of oil that lets the cylinder extend over
a minor limited distance. The expected piston travel is monitored through limit switches or a position transducer,
delivering feedback on the proper functioning of the actuator.

3 Hardware Implementation

3.1 Modularity

Figure 7: Expected pressure levels within valve checks. (Solenoid highlighted means energised)
Each of the three hydraulic channels is realised within a modular valve plate element. These valve plates are
mounted on a base plate that contains the connections between the channels and to the port plate, see Figure 9
and Figure 10. The variable port plate in turn provides an interface to actuator, pressure supply and reservoir and
can be adapted to specific installation requirements (e.g. direct flange-mounting on the actuator, piping
connection). Furthermore, it can carry additional functional modules as described in Chapter 3.2.

2.2.4 Compatibility with Conventional Control Systems

The 2oo3plus approach differs from conventional 2oo3 systems in the number of solenoids to be controlled and
in the number of feedback signals to be evaluated (6 instead of 3). Moreover, the evaluation of the six feedback
signals implies some Boolean logic to extract the desired information on the functioning of valve pairs and single
valves by means of truth tables. In the simplest case, the supervisory process controller can provide the
additional inputs and outputs as well as a program to run the evaluation procedure. However, if these resources
are not available on the master PLC side, the EHC-S 2oo3plus can be supplemented by an interface box that
includes the evaluation logic, and adapts inputs and outputs to match the conventional 2oo3 set-up.

As illustrated in Figure 8, the interface box is comprised of an all-electrical connection module and a non-
programmable electronic diagnostics module. Due to its simplicity and robustness, the connection module does

GROUP 16 - 3
not introduce additional risks or failure rates. Similarly, the diagnostics module has been optimised for maximum
reliability and contains no software or other programmable or complex elements. Furthermore, in case of an
internal electronics failure, it can be exchanged without affecting system operation or availability of the safety
function.
Figure 9: Modular manifold design (simplified)

453
 The 11th International Fluid Power Conference, 11. IFK, March 19-21, 2018, Aachen, Germany The 11th International Fluid Power Conference, 11. IFK, March 19-21, 2018, Aachen, Germany

3.2 Additional Functionality

Optionally, the EHC-S 2oo3plus safety manifold can be extended to provide additional features. These are added
by functional modules mounted on the port plate.

3.2.1 Partial Stroke Test

The partial stroke test described in Chapter 2.3 is realised in a combination of two sandwich plates and a
recirculation plate, as shown in Figure 12. Depending on the focus of the testing philosophy, activation of the
cylinder extension can be controlled by one or two normally closed 2/2-way poppet-type solenoid valves in the
upper sandwich plate, the valves being linked in series through the recirculation plate. Valve redundancy will
Figure 10: Samples of 2oo3plus safety manifolds in nominal sizes 6, 10, and 16 (left to right) improve the system availability, as it prevents unwanted transition into safe state in case of a valve failure. The
Apart from direct physical benefits, the modular design of the EHC-S 2oo3plus manifold allows not only for 2- lower sandwich plate contains a variable flow restrictor used for tuning the cylinder extension speed when
out-of-3 voting, but also for the implementation of various different M-out-of-N architectures, incl. enhanced discharging the pressurised cylinder volume connected to port E. Port A may be used to supply oil to the
(‘plus’) functionalities not available in common standard approaches. The following Figure 11 gives an overview cylinder in order to bring it into standby position (spring loaded).
of all the possible configurations. The ones denominated as MooNplus consist of an MooN structure, where each
channel itself contains a 2oo2 redundancy. As an additional feature, this provides the capability of testing the
channels during operation without compromising the main function and safety, while at the same time increasing
availability.
MooN voting No. of Valve set-up HFT HFT Valve Annotations on
slabs x Slab (d)¹ (s)¹ diagnostic valve diagnostic test
valves 1 2 3 test
1oo1 1x1 0 0 no not available
A1

1oo1plus 1x2 0 1 yes² deenergising of single

A1
(1oo1 x 2oo2) valves for test only
A2

1oo2 2x1 1 0 no not available

A1 B1

1oo2plus 2x2 1..2 1..2 yes² deenergising of single

A1 B1
(1oo2 x 2oo2) valves for test only
A2 B2
Figure 12: Partial stroke test module
2oo2 1x2 0 1 yes deenergising of single
A1
valves
B1
3.2.2 Directional Control

2oo2plus 2x2 1..2 1..2 yes deenergising of valve If it is desired to directly control the actuator movement, a directional valve – on/off or proportional/servo, NG06
A1 B1
(2oo2 x 2oo2) pairs or NG10 – may be mounted on the port plate, see Figure 13. This function cannot be combined with other
B2 A2 functions.
1oo3 3x1 2 0 no not available
A1 B1 C1

1oo3plus 3x2 2..4 2..4 yes² deenergising of single

A1 B1 C1
(1oo3 x 2oo2) valves for test only
A2 B2 C2

2oo3plus 3x2 2..4 2..4 yes deenergising of valve

A1 B1 C1
pairs

GROUP 16 - 3
C2 A2 B2

¹ Hardware Fault Tolerance of hydraulic part towards dangerous (d) or safe (s) failures, respectively
² if valves are operated accordingly during test, deviating from normal operation
Figure 13: Directional control module
Figure 11: Possible MooN voting configurations utilising the modular structure

455
 The 11th International Fluid Power Conference, 11. IFK, March 19-21, 2018, Aachen, Germany The 11th International Fluid Power Conference, 11. IFK, March 19-21, 2018, Aachen, Germany

3.2.3 Pressure Supply Shut-off oil units); waste energy dissipated through the flow resistance. For dimensioning purposes, only the
characteristic of one single hydraulic channel is relevant, since the safety manifold is required to deliver
its rated performance in case of failure of one logical channel (i.e. two hydraulic channels). Figure 16
plots the pressure drop characteristic of the current EHC-S 2oo3plus series. In comparison with
conventional direct operated 2oo3 manifolds, the range of flow rates covered is positively extensive,
and will be extended further by the future NG20 member of the series.

Figure 14: Pressure supply shut-off module

When the actuator trips, the supply port P is connected via orifice BP and the two open main valves to the
reservoir. This implies a small permanent idling flow that can be undesirable in cases of limited oil supply, e.g.
in accumulator-backed systems. To eliminate this effect, the shut-off module from Figure 14 is used to isolate
the pressure supply port P. The valve solenoid should be powered synchronously with the main valve solenoids,
so the normally closed valve will perform its function automatically in case of a trip. The shut-off module can be
combined with the partial stroke test module.

3.2.4 Explosion Protection
Throughout the design of the EHC-S 2oo3plus manifold, its potential suitability for applications in explosive
atmospheres has been considered. Through the use of appropriate electrical components, the system can be
upgraded to comply with the Atex Directive 2014/34/EU in explosion protection class Ex II 2G IIC T4. Figure
15 shows the explosion-proof version of the safety control.
Figure 16: Pressure drop characteristics of the 2oo3plus series. One hydraulic channel, HLP 46 @ 30 °C.
2. The dynamic discharge characteristic of the safety manifold has an important impact on the total closing
time of the actuator. It is difficult to quantify separately from the actuator, and finally, it is always the
dynamic performance of the entire trip system that counts. However, in order to specify and compare
safety manifold performance independently, the manifold discharge behaviour with the smallest pos-
sible hydraulic capacity gives a meaningful indication as well, as the overall closing process can never
be faster than this. The discharge behaviour is governed firstly by the delay between de-energisation of
the solenoids and beginning of the pressure relief, and secondly by the discharge time measured from
the beginning of relief until the mean pressure curve has decreased to 10 % above the stationary
pressure level. The exemplary diagram in Figure 17 proves fairly fast responses of the NG16 manifold.

Figure 15: 2oo3plus manifold in explosion-proof configuration

4 System Performance
The performance of hydraulic safety controls mainly relates to two aspects:

GROUP 16 - 3
1. Flow capacity is measured and described by the characteristic of pressure drop against flow rate. Small
pressure drops are desirable for a variety of reasons: a large backpressure level will compromise the
actuator closing force by a parasitic counterforce; severely reduce the available utilisable differential
pressure in applications with limited supply pressure (such as safety systems supplied from lubrication
Figure 17: Pressure discharge characteristic of NG16. One hydraulic channel, HLP 46 @ 48 °C.

457
 The 11th International Fluid Power Conference, 11. IFK, March 19-21, 2018, Aachen, Germany The 11th International Fluid Power Conference, 11. IFK, March 19-21, 2018, Aachen, Germany

5 Evaluation of Functional Safety

The EHC-S 2oo3plus safety control has been certified SIL-3 capable in compliance with IEC 61508 by TÜV
Rheinland. The underlying assessment of Functional Safety includes evaluations of systematic and hardware
capabilities and of quantitative key parameters. First of all, the different nature of the 2oo3plus concept needs to
be recognised, as IEC 61508 does not provide standard procedures and calculations for this architecture. A
tempting, but incorrect approach would be to consider it as (2oo3 x 2oo2), i.e. 2oo3 with serial redundancy per
channel. This is not appropriate, because a single valve failure does not corrupt the entire logical channel; the
second valve can still fulfil its function within its own hydraulic channel. More appropriately, the 2oo3plus
structure can be considered as (2oo6..4oo6), i.e. it varies depending on the position of failures within the Figure 20: Comparison of safety and availability in terms of corresponding HFT for various MooN structures.
structure. Figure 18 illustrates this relation in the style of IEC 61508 block diagrams.

6 Summary and Conclusion

Thanks to its innovative system architecture and highly reliable components by design, the 2oo3plus solution not
only has a higher tolerance to dangerous faults, but also to safe faults. The probability of failure of the safety
function is reduced, and the safety as well as the availability of the plant under protection are effectively
enhanced. Being extremely scalable, compact, and light at the same time, the solution provides economic and
reliable protection for critical applications for rapid discharging of pressurised volumes or spring-loaded
actuators, e.g. in power plants and process technology. It is suitable and certified for use up to SIL 3. Moreover,
the incorporated modular design allows not only for 2-out-of-3, but for the implementation of various different
Figure 18: Block diagram of 2oo3plus. M-out-of-N voting architectures, incl. enhanced functionalities not available in common standard approaches.
Although IEC 61508 does not give explicit guidance in this case, the employed probabilistic calculation methods
can be transferred; missing data can be extrapolated or estimated conservatively. In this fashion, corresponding Nomenclature
formulae can be obtained for the probability of failure on demand of the group of channels (PFDG) – comprised
of a term PFDI related to independent failures and a term PFDCCF related to common cause failures (CCF) – and Variable Description Unit
the ratio of CCFs. To compare the probabilistic performances, a fictitious exemplary case is examined, using 𝑝𝑝M Intermediate pressure between the two valves of a hydraulic channel [bar]
identical input parameters: failure rate  = 1000 FIT, dangerous failure rate D = 0.5 , proof test interval T1 = 5
𝑝𝑝T Pressure at tank port T [bar]
a, diagnostic test interval TD = 7 d, CCF base ratio int = 0.05, mean repair time MRT = 72 h, diagnostic coverage
with diagnostic test DCD = 90 %. The result is lined up in Figure 19. In all cases, the contribution of CCF to the 𝑝𝑝X Pressure at control port X [bar]
PFD is dominant, because it is fairly unlikely that two valves independently fail at the same time. At first sight, 𝑇𝑇1 Proof test interval [a]
the 1oo3 structure might be expected to deliver the lowest PFD I value, which without any cyclic diagnostic
testing would actually be true; however, the diagnostic test strongly acts in favour of architectures with HFT > 0. 𝑇𝑇D Diagnostic test interval [d]
Since the 2oo3plus concept unites the advantages of diagnostic testing and increased HFT, its probabilistic safety 𝜆𝜆 Failure rate [FIT = 10-9/h]
performance exceeds both 1oo3 and 2oo3, in spite of its greater parts count. Furthermore, this consideration does
not yet account for any improvements in valve reliability due to more suitable design (cf. Chapter 2.1).
References

/1/ IEC 61508-1..7:2010. Functional safety of electrical/electronic/programmable electronic safety-related

systems, Ed. 2.0, 2010.

/2/ Brändli, M. et al., Hydraulic release unit for a valve unit in a power machine assembly, in particular for
a quick-closing valve of a turbine assembly, European Patent EP2172656B1, 2013.

/3/ Schmieding, M., Safety circuit for a fluid actuated actuator and method for using the same, European
Patent EP1630425B1, 2012.

/4/ Schumacher, Jan. Entwicklung eines Zeitraffertests für Hydraulikventile zur Ermittlung von
Figure 19: Comparison of PFD values for various MooN structures.
Zuverlässigkeitswerten. Abschlussbericht 78 Hy 66, Institut für fluidtechnische Antriebe und

GROUP 16 - 3
As mentioned before, the hardware fault tolerance of the 2oo3plus voting is always at least HFT = 2. However, Steuerungen (IFAS), RWTH Aachen, 2011.
depending on which valves actually fail, up to four failures can be tolerable without affecting the safety function.
/5/ HYDAC System GmbH, Electrohydraulic safety control EHC-S 2oo3plus, Datasheet E 2.804.0/03.17,
Figure 20 (left) relates this to other common voting architectures, particularly standard 2oo3. Similarly, when
Sulzbach/Saar, 2017.
safe failures as a potential cause of spurious trips are regarded, the HFT is in the range of 1..3 (Figure 20, right).

459