To reduce spurious trips of SIFs, many plants moved from 1oo1 or 1oo2 voting on the sensors to 2oo3 voting -- a good idea. To improve stability for critical process control loops, many plants went from one or two sensors to three sensors using the mid-value for control (also called median-select) -- also, a good idea.
Without really analyzing it, some facilities combined the two ideas, using the mid-value of three sensors for a control loop and then, using the same three sensors voting 2oo3 for an SIF. The intent of the SIF was to protect against consequences that could be caused by a failure of the control loop. This arrangement violates the fundamental premise of LOPA (layer of protection analysis) and ANSI/ISA 84.00.01 (IEC 61511); an independent protection layer shall be independent of causes of the consequence that the layer protects against.
The new configuration must be analyzed by Fault Tree Analysis (FTA), supplemented by Markov analysis. The FTA considers a failure of each of the three sensors and determines which of the remaining devices in the SIF can detect and prevent the consequence. The PFD (probability of failure on demand) is calculated and compared with the PFD of the total independent 2oo3 sensor SIF.
The paper suggests guidance for appropriate use of the combined configuration and suggests how to approximate the risk reduction