Torus Risk Engineering

Best Practice Centre

No Safety Interlock or Critical Alarm should be bypassed without authorisation and a procedure should be in place to ensure that this activity takes place in a safe and controlled manner. Certain Safety Systems are considered inviolable and the protected equipment or process may not be operated unless these systems are functioning. Overspeed protection on a large turbine is a straightforward example. Safety studies will have identified such systems and they will be highlighted in the Operating Procedures as “Not to be Bypassed”. The Bypass Procedure should call for an initial risk assessment. The time allowed for an override to remain in place should be kept to a minimum. The longer an override is in place the higher the risk becomes to the plant and its personnel. Management validation should be required if the override period exceeds a fixed time limit. In this case the procedure should include a requirement for escalating approval to higher authority, including a review of the initial risk assessment, or trigger a Management of Change (MOC) procedure as a “Temporary Change”.

Refinery Hydrocracker Incident
During an unscheduled pause in the start up of a Hydrocracker Unit, there was a pressure breakthrough from the HP Separator, operating at 155bar into the LP Separator, operating at 9bar. The LP Separator failed catastrophically from the resulting overpressure. The explosion and ensuing fireball killed one operator and seriously damaged the unit and control room. Rebuild took 2 years. The accident investigation found that the Level Interlock system had been physically bypassed for some time, as it was considered unreliable. There had been no risk assessment or changes to operating procedures following this action. The start up of the unit commenced with only one of two level control systems in operation and when this failed during the start up, the loss of level was not detected. The Low Low Level Alarm did function, but the alarm indicator bulb had failed and the audible alarm was considered “spurious”. With the Interlock bypassed, the control valves remained open. The loss of liquid level in the HP Separator allowed gas to surge into the LP Separator and overpressure the vessel.

Safety Interlocks and Critical Alarms are installed to indicate and/or prevent potentially hazardous conditions which might endanger equipment, personnel or cause damage to the environment. Overriding safety interlocks may be required for online calibration, maintenance work, or when there is a fault in the interlock system itself. However, overriding a safety interlock or alarm on an on-line process means a reduction in the level of protection, and so the process equipment is more vulnerable to a hazardous event should a process upset occur.

” Instrument Society of America Standards and Practices.01. Summary Overriding safety interlocks and alarms must be strictly controlled. In order to ensure that the override procedure is working effectively it must be audited on a periodical basis and. 29 CFR Part 1910. Torus Insurance (Europe) AG or Torus Insurance (Bermuda) Limited. “Functional Safety: Safety Related Systems.K. IEC-61508. “Application of Safety Instrumented Systems for the Process Industries. ANSI/ISA-SP-84. Interlock override permits should be kept in the control room and contain the following elements: • • • • • • • • • • • Equipment Identification Reason for interlock override Description of work to be performed Backup procedures Mitigation Procedures and Safety Concerns Expected duration of the bypass Location of override mechanism Method of shutting down the process if required Appropriate approval by the authorised signatory. The shift handover log and management information systems should include a list of overrides. This backup may involve ensuring the availability of a dedicated operator to continuously monitor the critical variables whilst the bypass is in place. it is recommended that either paper or a purposely designed electronic override logbook be used. Torus Insurance Company (either Torus Insurance (UK) Limited. It may be operating at a reduced temperature/pressure. Sign-off and dating of when the system is actually returned to operational status.. circumstance or claim. it is imperative that rigorous and detailed procedures are developed for controlling any temporarily installed overrides. If you would like further advice. References “Programmable Electronic Systems in Safety Related Applications.” Occupational Safety and Health Administration. Contact us For further information please contact our Engineering Practice Leader for Onshore Oil & Gas Peter Wong +1 (832) 314 2810 pwong@torusinsurance. therefore. advice in relation to any specific situation nor a representation of Torus’ view on any particular risk. collectively “Torus”) will accept no responsibility for any actions taken or not taken on the basis of this publication. Because of the critically important function of safety interlocks and alarms to process safety management. “Process Safety Management of Highly Hazardous Chemicals. please contact chalm@torusinsurance. Copyright © 2010 Torus Insurance Company.” International Electrotechnical This publication is intended as a general overview and discussion of topics that might be relevant to insureds and it is not intended to be. torusinsurance. U. 1996. such as removing all non-essential personnel or having standby emergency personnel. . Technical Committee No. All rights reserved. Torus Specialty Insurance Company Torus National Insurance Company.SAFETY INTERLOCK AND ALARM OVERRIDES When overriding safety interlocks backup measures should be put in place to protect against the same potential event that the bypassed interlock was designed for. and should not be used as.” Health and Safety Executive. Explosives and Blasting Agents. There may be a requirement for mitigation procedures. Sign-off and dating of when the override is performed. 1992. Draft/June 1995.

Sign up to vote on this title
UsefulNot useful