2.1.1 Negation Justification

What is Negation in This Context?

Negation acts as an output inhibit function. It’s a straightforward, deterministic fail-safe mechanism: if the system’s cross-checking detects an anomaly, negation forces the system into a defined safe state. For example, a non-weldable relay contact may fall open by gravity, disconnecting the output when the relay coil isn’t energized. In simple terms, negation prevents a potentially faulty voter result from triggering a hazardous output, closing diagnostic and fail-safe gaps that the voter alone cannot address.

Why is Negation Recommended?

Simplifies Safety Arguments and Verification: A single, conservative reaction (inhibit/negate) is easier to prove correct across various failure scenarios than complex fault handling in the voter or application logic. This simplicity is crucial for safety audits and certification.
Isolates Voter Faults: If a voter (where all independent branches converge) fails, it might incorrectly assert an output even when branch diagnostics indicate a problem. Negation provides a separate, simple reaction path that doesn’t depend on the voter being correct.
Ensures Deterministic Safe Behavior: When a fault is detected, the system must enter a clearly defined safe state. Negation is a minimal, easily analyzed mechanism to achieve this reliably.

Why Use Cross-Checks to Trigger Negation?

In high Safety Integrity Level (SIL) systems, parallel processing is performed by isolated subsystems. Diagnosing these subsystems also requires independent entities. Cross-checking allows each branch to diagnose the others without extra hardware, simplifying the topology and reducing costs.
Cross-checks reduce Common-mode and latent fault risks. If cross-checking reveals timing, plausibility or internal state anomalies that the voter outcome alone doesn’t catch, negation ensures these hidden issues can’t result in unsafe actions.