Override Bypass Control

Rev. 2 6 Dec 2012Site Technical Practice

Engineering

DWGOM Group Practice

DWGOM GP 30‑0130

Override/Bypass Control


Page 2 of 26 DWGOM GP 30‑0130Rev. 2 6 Dec 2012

Table of Contents

Page

Foreword ........................................................................................................................................ 3

Introduction..................................................................................................................................... 4

1 Scope .................................................................................................................................... 5

2 Normative references............................................................................................................. 5

3 Terms and definitions............................................................................................................. 5

4 Symbols and abbreviations .................................................................................................... 7

5 Audit requirements................................................................................................................. 8

6 Organization, roles, and responsibilities................................................................................. 9

6.1 Operations responsibilities .......................................................................................... 9

6.2 Drilling responsibilities for BP-managed drilling facilities ........................................... 10

7 Introduction.......................................................................................................................... 11

7.1 Instrumented safety functions ................................................................................... 11

7.2 Non-instrumented safety functions............................................................................ 12

7.3 Methods used for bypassing safety functions............................................................ 12

8 Basic principles.................................................................................................................... 13

9 Eligibility for overrides/bypasses .......................................................................................... 13

10 Safety Override Risk Assessment........................................................................................ 14

11 Control of overrides/bypasses.............................................................................................. 15

12 Start-up overrides ................................................................................................................ 16

13 Overrides on isolated non-operational plant......................................................................... 17

Bibliography .................................................................................................................................. 26

List of Tables

Table 1 - Safety Override Risk Assessment form.......................................................................... 18

Table 2 - Safety override/bypass log............................................................................................. 20

Table 3 - Safety override/bypass shift change log......................................................................... 21

List of Figures

Figure 1 - Safety override/bypass application flow chart................................................................ 19

Figure 2 - Sample HMI detail for SORA review ............................................................................. 22

Figure 3 - Sample SORA for PSV Testing..................................................................................... 23

Figure 4 - Sample SORA for PSV Maintenance ............................................................................ 24

Figure 5 - Sample SORA for Instrumented Function ..................................................................... 25



Foreword

This is a revised issue of Site Technical Practice (STP) DWGOM GP 30‑0130. This Site Technical Practice (STP) incorporates the following changes:

• Added references to related Code of Federal Regulations (CFR).

• Updated linkage from IM to OMS requirement.

• Added Audit Requirements (2011 OMS audit action)

• Updated documentation to be reviewed during weekly Specified Authority Audit.

• Added override/bypass procedure requirements for Hazard Operability (HAZOP)/Layer of Protection Analysis (LOPA) Study-identified Safety Related Alarms (SRAs) and Basic Process Control System (BPCS) control loop Independent Protection Layers (IPLs).

• Update to role and responsibility titles and Safety Override Risk Assessment (SORA)attendee requirements.

• Added additional guidance when developing SORAs.

• Corrected override/bypass application flow chart.

• Clarification on timing of Management of Change (MOC) requirements.

• Clarification on approval requirements for extending SORAs beyond SORA-identified bypass duration.

• Update SORA requirements on non-integrity rated (IL 0 or IL A) safety instrumented function override/bypass SORA requirements.

• Update on weekly Specified Authority audit requirements (2011 OMS audit action).

• Added three year requirement to conduct an audit of the implementation effectiveness of STP DWGOM GP 30-0130 (2011 OMS audit action).

• Added definitions for Basic Process Control System (BPCS), Bizflow Control System Change Request (CSCR), Specified Authority, SRA and IPL.

• Updated examples of safety function bypasses.

• Provided guidance on when SORAs should be refreshed.

Deleted the Facility Specialist role and added these roles and responsibilities to the Specified Authority role.

Due to extensive changes to this STP, revisions are not identified by a bar in the left margin, as is normal practice.

Copyright © 2012 BP International Ltd. All rights reserved.This document and any data or information generated from its use are classified, as a minimum, BP Internal. Distribution is intended for BP authorized recipients only. The information contained in this document is subject to the terms and conditions of the agreement or contract under which this document was supplied to the recipient's organization. None of the information contained in this document shall be disclosed outside the recipient's own organization, unless the terms of such agreement or contract expressly allow, or unless disclosure is required by law.

In the event of a conflict between this document and a relevant law or regulation, the relevant law or regulation shall be followed. If the document creates a higher obligation, it shall be followed as long as this also achieves full compliance with the law or regulation.



Introduction

This guidance is provided to ensure that all field personnel comply with the regulations as found at 30 CFR 250.803(c) (1) and 30 CFR 250.1004 (c). Regulatory INCs issued against these regulations could result in significant civil penalties, and if found to be a deliberate violation, could escalate into a criminal violation; however, of greater concern is the potential negative ramifications of the safety and health of our personnel.

30 CFR 250.803(c)(1)

“Surface or subsurface safety devices shall not be bypassed or blocked out of service unless they are temporarily out of service for startup, maintenance or testing procedures. Only the minimum number of safety devices shall be taken out of service. Personnel shall monitor the bypassed or blocked-out functions until the safety devices are placed back in service. Any surface or subsurface safety device which is temporarily out of service shall be flagged.”

30 CFR 250.1004(c)

“If the required safety equipment is rendered ineffective or removed from service on pipelines which are continued in operation, an equivalent degree of safety shall be provided. The safety equipment shall be identified by the placement of a sign on the equipment stating that the equipment is rendered ineffective or removed from service.”

Review and Update

This document has been subjected to a number of operational and instrumentation technical peer reviews and is subject to a 3-year review and update. However, the document control system allows for continuous update of this document. As such any user may at any time identify an error or suggest an improvement from the Technical Authority.



1 Scope

a. This STP provides expectations and guidance on all aspects of override/bypass control. These aspects include:

1. Definition of override/bypass.

2. Categorization of overrides/bypasses.

3. Roles and Responsibilities

4. Risk assessment (SORA).

5. Start-up Overrides.

6. Acknowledgement, authorization and approval.

7. Reviewing of the records.

8. Time limits.

9. Logging requirements.

b. The objective of the STP is to ensure all GoM sites have unified safety practices that will provide control, transparency of process, and management of risk.

c. This STP is in accordance with BP Engineering Technical Practices (ETPs) on safety instrumented systems (SIS) overrides and refers to GP 30-81 for detailed guidance.

d. This STP is based on international standards IEC 61511. In meeting this requirement, the STP also conforms to:

1. The SIS requirements of OMS Sub-element 3.3, Process Safety

2. The GoM Safe Practices Manual .

2 Normative references

The following referenced documents may, to the extent specified in subsequent clauses and normative annexes, be required for full compliance with this STP:

• For dated references, only the edition cited applies.

• For undated references, the latest edition (including any amendments) applies.

BP

GP 30-81 Safety Instrumented Systems - Operations and Maintenance

3 Terms and definitions

For the purpose of this STP, the following terms and definitions apply:

Basic Process Control System

BPCS consists of a combination of sensors, logic solvers, process controllers and final control elements which automatically regulate the process within normal production limits.

Bizflow Control System Change Request

Ensures that the management and modification of systems is performed in a safe and effective manner. Documentation is required for any change that constitutes an alteration to a PES, either hardware or software.



Bypass

Bypasses perform the same function as an override.

Commercial Integrity Level

Discrete level for specifying commercial integrity requirements of commercial function allocated to safety instrumented systems (SIS).

Drilling Contractor Rig Manager

Drilling Contractors onsite person in charge (e.g., Tool Pusher, Rig Superintendent).

Environmental Integrity Level

Discrete level for specifying environmental integrity requirements of environmental functions allocated to SIS.

IL 0 or IL A

Any instrumented function that is designed to protect equipment but has not been identified in the risk assessment (HAZOP/LOPA) as a required protection layer.

IL 1 and higher

Any Instrumented function that has been identified in the risk assessment (HAZOP/LOPA) as a required protection layer.

Independent Protection Layer

A device or system that is capable of preventing a postulated accident sequence from proceeding to a defined, undesirable endpoint. An IPL is independent of all other protection layers associated with identified potentially hazardous event.

Integrity Level

More general description than safety integrity level (SIL), referring to highest integrity level (IL) required for safety of onsite personnel, offsite personnel, environmental issues and commercial issues.

Layer of Protection Analysis

Semi-quantitative method to assess adequacy of protection layers and determine performance requirements for SIS.

Non-routine

Any task not performed at a regular, pre-determined frequency.

Offshore Facility Manager

Offshore Installation Manager, Offshore Production Manager or Well Site Leader

Out of Service

Safety override that is used for equipment that is isolated and not functional for maintenance purposes.

Override

The temporary bypass of a safety function or IPL to allow certain work to proceed without causing an unnecessary process shutdown or alarms. Override is used to prevent a safety function from operating.

Safety Related Alarm

An alarm that is identified as an IPL during HAZOP/LOPA and is independent of any BPCS control loop claimed as an IPL.



Safety Instrumented Function

A safety function that is implemented by an SIS which is intended to achieve or maintain a safe state for the process with respect to a specific hazardous event. The function also provides a defined level of risk reduction or IL for a specific hazard by automatic action using instrumentation.

Safety Instrumented System

A system that implements multiple Safety Instrumented Functions (SIFs) to protect an operating process. The system is composed of any combination of input sensors, logic solvers and final output elements that work in concert to detect hazards and bring the process to a safe state.

Safety Integrity Level

A statistical representation of the reliability of the SIS when a process demand occurs. It is used in both ANSI/ISA-S84.01 and IEC 61508 to measure the reliability of SIS. SILs for SIS operating in demand mode are defined in terms of probability of failure on demand (PFD).

Shift Technician

Control Room Operator, Drilling Chief Electrician, Drilling Electronic Technician, Drilling Maintenance Supervisor, Ballast Control Operator

Specified Authority

Individual or individuals assigned by the Offshore Facilities Manager to act as the Authority over all overrides and bypasses for the Facility or Drilling Rig. This role can be filled by the following positions: Production Team Lead, Maintenance Team Lead, Marine Team Lead, Drilling Contractor Rig Manager

4 Symbols and abbreviations

For the purpose of this STP, the following symbols and abbreviations apply:

BPCS Basic Process Control System

BSL Burner Safety Low

CIL Commercial Integrity Level

CRO Control Room Operator

CSCR (Bizflow) Control System Change Request

EIL Environmental Integrity Level

ESD Emergency Shutdown

FSHL Flow Safety High/Low

HAZOP Hazard and Operability (Study)

HMI Human Machine Interface

HREP Hazard and Risk Evaluation Plans

HVAC Heating, Ventilation and Air Conditioning

ICE Instrument, Control, Electrical Engineer



IL Integrity Level

INC Regulatory - Incidents of Non-Compliance

IPL Independent Protection Layer

LOPA Layer of Protection Analysis

LSHL Level Safety High/Low

MOC Management of Change

OFM Offshore Facility Manager

OPRA Offshore Personnel Risk Assessment

PES Programmable Electronic Systems

PFD Probability of Failure on Demand

PSHL Pressure Safety High/Low

PSRE Process Safety Risk Engineer

PSV Pressure Safety Valve

SCSSV Surface Controlled Subsurface Safety Valves

SDV Shutdown valve

SIF Safety Instrumented Function

SIL Safety Integrity Level

SIS Safety Instrumented System

SORA Safety Override Risk Assessment

SRA Safety Related Alarm

SSV Surface Safety Valves

TSE Temperature Safety Element

TSHL Temperature Safety High/Low

ZMS Zone Management System

5 Audit requirements

a. An audit to assess each HUBs implementation effectiveness of this STP shall be conducted every 3 years with more frequent audits based on audit findings and will include but not limited to:

1. Quality assessment of the Specified Authority weekly audits and documentation.



2. Review 15% of SORAs for instrumented and non-instrumented safety function bypasses.

3. Review of a representative sample equal to two months of bypass logs and shift change sign off.

4. Review of the representative sample equal to two months of altered valve list documentation.

5. Review of currently overridden/bypassed instrumented and non-instrumented safety functions (electronic report and/or hard copy log).

6. Field verification of active SORAs, as available or in place at the time of the audit.

7. Review of a representative sample equal to two months of overridden/bypassed instrumented and non-instrumented safety function activity (electronic report and/or hard copy log).

8. Individual’s knowledge of the specific role and responsibility he/she is assigned.

b. The sample size of the documentation reviewed shall include a representative sample equal to or greater than two months of information since the last audit.

6 Organization, roles, and responsibilities

The following provides a summary of the responsibility assigned to a specific role.

6.1 Operations responsibilities

6.1.1 Offshore Facility Manager

Offshore Installation Manager or Offshore Operations Superintendent:

a. Is responsible for the overall control of overrides/bypasses in accordance to safety and technical guidelines.

b. Revalidates an authorized SORA for reuse is the SORA is updated.

c. Authorizes the use of a bypass for more than one week.

d. Authorizes the use of a temporary SORA.

e. Is responsible for assuring that an individual or individuals are assigned the role of Specified Authority.

f. Ensures that the overrides are reviewed as part of the weekly Operations meeting, with Specified Authority and approves the outcome.

6.1.2 Specified Authority

An individual or individuals assigned by the Offshore Facilities Manager to act as the Authority over all Overrides and Bypasses for the Facility. This role can be assigned to the Operations Engineer, Production Team Lead or Maintenance Team Lead or Marine Team Lead

a. Is responsible for conducting a weekly operations review of the outstanding overrides.

b. Reviews and acknowledge all outstanding overrides at the start of each shift day.

c. Is responsible for the logbook and the authority over all overrides that occur throughout their shift.

d. Coordinates the shift team to create a new SORA if a SORA is unavailable for the task at hand.



e. Ensures that all records are detailed and informative.

6.1.3 Shift Technician

Control Room Operator or Ballast Control Operator:

a. Reviews and acknowledges all outstanding overrides, and their associated risk assessments, during the shift handover.

b. Ensures that the override logbook is kept promptly up to date, that the records are informative and detailed.

6.2 Drilling responsibilities for BP-managed drilling facilities

6.2.1 Offshore Facility Manager

The Well Site Leader:

a. Is responsible for the overall control of drilling overrides/bypasses in accordance with safety and technical guidelines.

b. Revalidates an authorized drill rig SORA for reuse if the SORA is updated.

c. Authorizes the use of a drill rig bypass for more than one week.

d. Authorizes the use of a temporary drill rig SORA.

e. Ensures that the overrides are reviewed as part of the weekly drill rig meeting, with Drilling Contractor Rig Manager and approves the outcome.

f. Informs the Offshore Installation Manager of drill rig overrides/bypasses.

6.2.2 Specified Authority

An individual or individuals assigned by the Offshore Facilities Manager to act as the Authority over all Overrides and Bypasses for the Drill Rig. This role can be assigned to the Drilling Contractor Rig Manager

a. Conducts a weekly drill rig review of the outstanding overrides.

b. Reviews and acknowledges all outstanding overrides/bypasses at the start of each shift day.

c. Is responsible for the logbook and the authority over all overrides that occur throughout their shift.

d. Coordinates with the shift team to create a new SORA if a SORA is unavailable for the task at hand.

e. Ensures that all records are detailed and informative.

f. Ensures that SORAs are refreshed in cadence with HAZOP/LOPA revalidation.

6.2.3 Shift Technician

The Drilling Chief Electrician and/or Drilling Electronic Technician, and or Drilling Maintenance Supervisor:

a. Reviews and acknowledges all outstanding overrides, and their associated risk assessments, during the shift handover.

b. Ensures that the override logbook is kept promptly up to date, that the records are informative and detailed.



7 Introduction

7.1 Instrumented safety functions

a. The application of an override/bypass to a safety instrument system (SIS) prevents that safety instrumented function (SIF) from acting on demand, and there will be an increased risk during the time the override/bypass is applied. Application of any override/bypass to any SIF with an IL of 1 or greater may be considered similar to the isolation of a safety relief valve.

b. Application of an override/bypass to an SIF with a specified (1 or greater) EIL can lead to serious consequences, including loss of operating permit.

c. There are potential serious commercial implications for application of overrides/bypasses to safety instrumented functions with specified CILs.

d. This document identifies those circumstances under which overrides/bypasses may be permitted and provides a procedure for controlling this operation.

e. This document applies to all reasons for safety, environmental and commercial bypassing, which would prevent a safety function from operating on demand.

f. Examples of safety instrumented functions may include but are not limited to the following:

1. Shutdown Valves (SDV).

2. Surface Controlled Subsurface Safety Valves (SCSSV).

3. Surface Safety Valves (SSV).

4. Level Safety High/Low (LSHL).

5. Pressure Safety High/Low (PSHL).

6. Flow Safety High/Low (FSHL).

7. Burner Safety Low (BSL).

8. Temperature Safety High/Low (TSHL).

9. TSE.

10. Fire Detector.

11. Gas Detector.

12. Safety Shutdown Group.

13. Blocking the view of ‘line of sight’ fire and gas detection device.

14. ESD initiating and ESD end element devices.

15. Basic Process Control System (BPCS) control loops that are identified as IPLs in HAZOP/LOPA and put in manual mode.

16. Safety Related Alarms (SRAs) which are identified as IPLs in HAZOP/LOPA and disabled from the human-machine interface (HMI).

17. Temporary wired links.

g. This procedure does not apply to SIS inputs where specific operational facilities, such as self-cancelling start-up overrides/bypasses or dedicated mode-change hand switches are provided, and where the use of these facilities is covered adequately within the plant operating instructions which have been adequately risk assessed (e.g., HAZOP).



7.2 Non-instrumented safety functions

a. This procedure applies to non-Instrumented safety functions that are defined as protective functions.

b. Examples may include but are not limited to the following:

1. Pressure Safety Valve (PSV).

2. Rupture Disk.

3. Vacuum Breakers.

4. Machinery Overspeed.

5. Fire Water Systems.

6. Emergency Communications Systems.

7. Blowdown and Flare Systems.

8. Navigational Aids.

9. Ballast Systems Safety Elements.

10. Mooring Systems Safety Elements.

11. Fire Detection Systems.

12. Gas Detection Systems.

13. Packaged Equipment Out of Service.

14. Building Pressurization Systems (Heating, ventilation and air conditioning [HVAC]).

15. Emergency Lighting.

7.3 Methods used for bypassing safety functions

Examples of methods used for bypassing safety functions include:

a. HMI – safety bypasses/override/out-of-service switches.

b. Forced safety system logic (i.e. AFI – Always False Instruction)

c. Local panel - safety bypass/override switches/out-of-service switches.

d. Electrical jumper lines.

e. Electrical leads disconnect for power supply (navigation aids).

f. Hand/off/automatic switch (fire water pump).

g. Local control panel ‘Bypass’/‘In-Service’ selector valves.

h. Pneumatic jumper lines.

i. Pinned pneumatic or hydraulic safety relay.

j. Pneumatic relay chocks.

k. Plugged bleed ports.

l. Block valves under PSV.

m. Isolation valves for SCSSV.

n. Isolation valves on level safety bridles.

o. Isolation valves on pressure safety instruments

p. Three way valve on SSV/SDV/BDV (trapped pressure).

q. Sensing line selector valves for PSHL testing.



r. Plumbers plug (deck drains).

s. Fusible caps on SSV.

t. Valve Jammers (e.g., Petroval lock stops, SSV fusible caps, SCSSV hydraulic supply Block valve).

u. Altered valve.

8 Basic principles

a. This document applies where there is a need for override/bypass or disabling of applications involving safety, commercial or environmental risk.

b. Safety functions requiring override/bypass or disabling for periods in excess of one week shall be subject to the full Management of Change (MOC) approval process.

c. The responsibility for the safety overrides/bypasses (including those for maintenance purposes) shall be assigned to a Specified Authority. The Specified Authority has ultimate responsibility for the current status of any overrides/bypasses.

d. The Safety Override Risk Assessment (SORA) is a decision support process intended to provide clear guidance where it is permitted to apply overrides/bypasses without further approval.

e. All SORAs shall be reviewed when changes are made to the process that could impact the assumptions of the SORA.

f. After a SORA is approved and recorded, the risk assessment may be used multiple times.

g. A SORA may also be generated for specific maintenance routines. This SORA shall refer to the original SORA for each override/bypass.

h. When multiple bypasses are in place, the risk of having these in effect simultaneously shall be assessed. The intent is to avoid a combination of bypasses that could lead to an undesirable event.

i. SORAs shall be refreshed in cadence with HAZOP/LOPA revalidation.

j. SORAs should be included in the Hazard and Risk Evaluation Plans (HREP) for the asset.

9 Eligibility for overrides/bypasses

a. Before any override/bypass is applied, the implications of doing so shall be fully understood, and adequate additional measures shall be applied to reduce the consequential risk of operating without automatic protection.

b. Planned overrides fall into three categories.

1. Integrity rated instrumented safety function IL bypasses (IL 1 and above) or Non-integrity rated instrumented safety function bypass (IL 0 or IL A):

a) Use the SORA for all cases.

b) Bypasses in place for greater than one week require Specified Authority, OFMand MOC approvals.

2. HAZOP/LOPA identified BPCS control loop and Safety Related Alarm (SRA)Independent Protection Layers:


b) BPCS control loop IPLs placed in manual for greater than one week require Specified Authority, OFM and MOC approvals.



c) Safety Related Alarms in disabled mode for greater than one week require Specified Authority, OFM and MOC approvals.

3. Non-Instrumented Safety Functions:


For PSVs/PSEs, a SORA is not required if there is a redundant 100% PSV/PSE in service or if the device does not have an isolation valve.

b) Bypasses in place for greater than one week require Specified Authority, OFMand MOC approvals.

c. Rather than rely on the decision of an individual authority, a specific risk assessment should be carried out for each safety instrumented system override/bypass. The resultant SORA shall be recorded on a suitable form. An example of such a form is shown as Table 1.

d. For drilling automated pipe handling systems, the following shall apply:

1. Any override which causes the Zone Management System (ZMS) to be locked out can only be done after review and approval by the Drilling Contractor Rig Manager. This is essentially when the piece of equipment is placed in maintenance override which bypasses the ZMS.

2. Normal operational positional overrides which do not violate the control and protection of the ZMS are permitted. These overrides are simply slight positional adjustments that are done within the normal safe operational range of the tools and under the protection and control of the ZMS. These slight adjustments are required to overcome the effects of wind and vessel motion on the tools as they operate within the control of the ZMS. These adjustments are not considered a hazardous operation.

10 Safety Override Risk Assessment

a. A SORA shall be carried out before the application of an override/bypass (see example Table 1). The SORA shall be led by the Specified Authority or designated equivalent responsible person, who will enlist the help of expert assistance as required. Attendees shall include Process Safety Risk Engineer (PSRE) for all SORAs, Process Engineer for PSV SORAs and ICE Engineer for Instrumented System SORAs.

b. The objective of the exercise shall be to:

1. Identify the consequence and risk associated with the failure of the Safety Function to act on demand through the application of that particular override/bypass (information is available in OPRA and LOPA documentation).

2. Identify the cumulative impact and risk of applying this override/bypass in addition to any other related overrides/bypasses that may already be applied.

3. Identify the consequence and risk of a spurious trip during the application, duration and removal of the override/bypass for instrumented safety functions.

4. Identify situations where it may be necessary to apply the override/bypass.

5. Identify any measures or actions that may be taken to reduce the risk to an acceptable level when the override/bypass is applied.

6. Specify the maximum duration for which an override/bypass may be applied.

If this duration is exceeded, the Specified Authority shall review the SORA, and document the reason for the extension. The CSCR process shall be used for approval and documentation of this process.

7. Specify whether any further actions need to be taken.



c. When developing the SORA, the following questions should be answered:

1. What process variable is to be monitored?

2. What device will be used to monitor the process variable?

3. How will the process be controlled?

4. What assurance will be performed to ensure the equipment used to monitor and control is operating properly?

5. At what point is response required to prevent an undesirable event?

6. Is there adequate time to respond to prevent an undesirable event?

7. Will the mitigation measures identified provide an equivalent degree of safety?

d. The results of the assessment shall be recorded and authorized. (A suitable form is shown in Table 1.) Authorization levels shall be decided locally and may typically be as follows:

1. Specified Authority - Carries out the Assessment with assistance from others.

The SORA development and refresh team should include roles such as PSRE, I&C engineer, process engineer and CRO.

2. OFM - Endorses Assessment.

e. Following completion, the SORAs shall be indexed and filed in a file system, or it may be accessible through the HMI (a suggested example is shown in Table 2 and Table 3) which is to be available in the control room and/or Rig Manager’s office for easy reference. Following a whole system review, a completed SORA shall be available for each override/bypass as called out in Section 9, Eligibility for overrides/bypasses.

f. In an urgent situation when a suitable SORA cannot be located, the above process shall still be followed with the Operations Tech (or equivalent) endorsing the assessment, in conjunction with the Lead Tech (or equivalent). This ‘urgent situation’ SORA shall then be formally reviewed at the earliest opportunity by the Specified Authority and OFM and if appropriate, added to the facility SORA file (see flow chart Figure 1). In cases where more than one predefined SORA is being applied, the terms of Clause 10b.2 applies.

11 Control of overrides/bypasses

a. The integrity rating of Safety instrumented Overrides/Bypasses which have a rating of IL 1 or higher shall be clearly and unambiguously identified as such on the HMI graphic so the operator is clear on the IL of the safety function before it is put in bypass.

b. HAZOP/LOPA identified BPCS control loop and SRA IPLs shall be clearly and unambiguously identified as such on the HMI graphic so the operator is clear on the IL of the safety function before it is put in bypass.

c. Where valve ‘jammers’ are fitted to permit online proof testing on valves that form part of a high integrity SIF, these shall also be considered to be overrides/bypasses.

d. The Lock Out/Tag Out system shall be used for control of local override/bypass switches and valve jammers.

e. Technicians shall be trained on the significance of the IL rating and shall understand the procedures to be followed when applying an override/bypass.

f. The SORA should be carried out as an off-line activity, at the earliest opportunity to avoid having to make such important judgments when under stress or at periods of high activity.

g. Each facility shall utilize this STP as the procedure for guidance on the process to apply an override/bypass to safety functions.



h. The application of overrides/bypasses for testing or maintenance purposes shall be reviewed in conjunction with the SORA and any special observations shall be specified within the maintenance procedure or method statement. The control of overrides/bypasses for maintenance purposes remains with the Shift Technician and even if not involved directly he/she shall be advised on the application and removal of any local or HMI initiated override/bypass.

i. The general procedure for applying a safety override is illustrated by the flow chart Figure 1. Technicians may only authorize the application of overrides/bypasses within the scope of the SORA. The maximum permissible duration of override/bypass application is stated in the SORA; however, efforts shall be made to minimize this duration.

j. The application of any override/bypass shall be recorded using a log sheet. (A suggested log sheet is shown in Table 2.) The Shift Technician shall acknowledge and accept any currently applied overrides/bypasses when they commence their shift using the log sheet.(A suggested sign off sheet is shown in Table 3.) These bypasses are manually or electronically tracked and the bypass log shall be generated each shift. (A suggested process graphic and SORA display are shown in Figure 2 and Figure 3).

k. The Specified Authority for overrides/bypasses shall carry out an audit at least weekly of override/bypass status. Any ‘urgent situation’ SORAs that have been raised shall be reviewed and any outstanding overrides/bypasses shall be challenged.

1. Documentation to be reviewed during the weekly audit shall include:

a) SORAs for instrumented and non-instrumented safety function that are currently in bypass or were put in or taken out of bypass over the previous week.

b) The number of times bypasses require SORA time extension approval through the CSCR process.

c) Altered valve listing of all valves that are in an altered position.

d) Current listing of overrides/bypasses (electronic report and/or hard copy log).

e) MOCs for overrides/bypasses that have been in bypass for over one week.

f) Documentation and validity of overrides on isolated non-operational plant safety functions.

2. The audit shall include comparison between the override/bypass electronic report and/or log sheet and the actual state of the override/bypass safety function.

12 Start-up overrides

a. A start-up override is a defeat that is identified within the operator’s start-up procedure, which is required to enable the unit to be started. A start-up override needs to be removed as soon as possible, and typically, this should be done automatically.

b. Start-up overrides with automatic resets are not required to be controlled under this STP, as they have been specifically designed and reviewed during the design of the unit and during development and approval of the operating procedures. These procedures shall have been adequately risk assessed (e.g., HAZOP).

c. Start-up overrides with manual resets do not require any risk assessment, but they shall be recorded in the override logbook.

d. If any start-up override is required on a unit that already has additional (non-startup related) overrides applied, then the start-up overrides shall comply with this STP in its entirety.



13 Overrides on isolated non-operational plant

a. In some cases, overrides are applied to plant areas, trains and units that may be positively isolated for long periods of time. In these cases the override(s) are applied to prevent the shutdown of the operational plant caused by process parameters that are normal during isolation but undesired when operational (e.g., low pressures, low levels, low flows).

b. During this period of plant isolation, the hazard that the instrument function is protecting against may no longer exist, or the risk is significantly reduced. Therefore, during this period the function controlling, the risk associated to the override shall be managed as follows:

1. A SORA shall be required for all integrity rated overrides; however, the process condition shall state that the plant is positively isolated. The hazard identification and mitigation shall reflect this operational condition, and the time period for which the override will be applied.

2. The ‘Isolation Number’ shall be recorded against each affected override on the override log.

3. These overrides shall not be counted as ‘Long-term Overrides,’ and no additional action shall be taken.



Table 1 - Safety Override Risk Assessment form

Tag Identification of Device:

(Specify tag no. of input/output)

Facility:

Descriptor:

Integrity Level:Safe Chart Reference:

Method of Override:

Integrity Basis: Safety Environment Commercial

(Identify highest overall requirement)

Hazard(s) of Applying Override/Bypass:

(What are the consequences if this safety function fails to act on demand? Information is available in OPRA and LOPA)

Hazard(s) from Spurious Trip if applicable:

(For instrumented safety functions, identify the consequence and risk of a spurious trip during the bypass/override state?)

Reason{s) for Applying Override/Bypass:

(Maintenance, testing, fault diagnostics, etc. Note: start-up overrides/bypasses normally provided for process operations)

Mitigation:

(What process variable should be monitored, what device is used to monitor the process variable, how will the process be controlled, at what point is response required to prevent an undesirable event, is there adequate time to respond to prevent an undesirable event while overridden/bypassed?)

Considering the level of risk and the potential for mitigation, the override/bypass of this safety function is classed as:

Acceptable Unacceptable

Maximum Duration of Override/Bypass Allowed: _______ Maintenance Testing Start-up Only

Observations or Comments:

Assessment Carried out by: Date:

(Specified Authority or equivalent and attendees)(Attendees shall include PSRE for all, Process Engineer for PSVs and ICE Engineer for instrumented systems.)

Lead Tech/Engineer:

Name: Date:

Specified Authority:

Name:Date:

Offshore Facility Manager:

Name:Date:

Note:

A paper filing system or an online database can be utilized to fill the form and maintain the above SORA data. The asset has the option of maintaining the SORA data as hard copy or importing the SORA data into the Control System to display key SORA dataas a pop up from the HMI screen when bypasses are to be implemented. Refer to Figure 2 and Figure 3.



Figure 1 - Safety override/bypass application flow chart



Table 2 - Safety override/bypass log

Facility: ____________________

Tag Number Description Applied by Date Time Time In Bypass Duration SORA Permitted Bypass Duration

Note:

1. For HMI overrides the SIS override/bypass log shall be stored and maintained (either hard copy in the control room and/or Rig Manager’s office or electronically in the control system) for two years for safety function bypasses.

2. For Non-HMI bypasses a hard copy shall be maintained in the control room and/or Rig Manager’s office for two years.



Table 3 - Safety override/bypass shift change log

Facility: ____________________

By signing below, all signatories confirm acceptance of the outstanding or no outstanding overrides/bypasses listed on the end of shift bypass report/log. This override/bypass log shall be stored and maintained for two years either as hard copy or in the Control System

Day-shift Technician: Night-shift Technician:

Date Name Signature Date Name Signature



Figure 2 - Sample HMI detail for SORA review



Figure 3 - Sample SORA for PSV Testing



Figure 4 - Sample SORA for PSV Maintenance



Figure 5 - Sample SORA for Instrumented Function



Bibliography

BP

[1] OMS Sub-element 3.3, Process Safety

[2] GP 30-81, SIS Operations and Maintenance

American National Standards Institute (ANSI)

[3] ANSI/ISA-S84.01, Application of Safety Instrumented Systems for the Process Industries

Code of Federal Regulations (CFR)

[4] 30 CFR 250.803, Additional production system requirements

[5] 30 CFR 250.1004, Safety equipment requirements for DOI pipelines

International Electrotechnical Commission (IEC)

[6] IEC 61508, Functional safety of electrical/electronic/programmable electronic safety-related systems

[7] IEC 61511, Functional safety - Safety instrumented systems for the process industry sector

Documents

Override Bypass Control