DWGOM Group Practice

DWGOM GP 30‑0130 Override/Bypass Control

Rev. 2 6 Dec 2012 Site Technical Practice Engineering

Override/Bypass Control

Table of Contents
Page Foreword ........................................................................................................................................ 3 Introduction ..................................................................................................................................... 4 1 2 3 4 5 6 Scope .................................................................................................................................... 5 Normative references............................................................................................................. 5 Terms and definitions............................................................................................................. 5 Symbols and abbreviations .................................................................................................... 7 Audit requirements................................................................................................................. 8 Organization, roles, and responsibilities................................................................................. 9 6.1 Operations responsibilities .......................................................................................... 9 6.2 Drilling responsibilities for BP-managed drilling facilities ........................................... 10 Introduction.......................................................................................................................... 11 7.1 Instrumented safety functions ................................................................................... 11 7.2 Non-instrumented safety functions............................................................................ 12 7.3 Methods used for bypassing safety functions............................................................ 12 Basic principles.................................................................................................................... 13 Eligibility for overrides/bypasses .......................................................................................... 13 Safety Override Risk Assessment........................................................................................ 14 Control of overrides/bypasses.............................................................................................. 15 Start-up overrides ................................................................................................................ 16 Overrides on isolated non-operational plant......................................................................... 17

7

8 9 10 11 12 13

Bibliography .................................................................................................................................. 26

List of Tables
Table 1 - Safety Override Risk Assessment form .......................................................................... 18 Table 2 - Safety override/bypass log ............................................................................................. 20 Table 3 - Safety override/bypass shift change log ......................................................................... 21

List of Figures
Figure 1 - Safety override/bypass application flow chart................................................................ 19 Figure 2 - Sample HMI detail for SORA review ............................................................................. 22 Figure 3 - Sample SORA for PSV Testing..................................................................................... 23 Figure 4 - Sample SORA for PSV Maintenance ............................................................................ 24 Figure 5 - Sample SORA for Instrumented Function ..................................................................... 25

Page 2 of 26

DWGOM GP 30‑0130 Rev. 2 6 Dec 2012

Update SORA requirements on non-integrity rated (IL 0 or IL A) safety instrumented function override/bypass SORA requirements. BP Internal. Added additional guidance when developing SORAs. revisions are not identified by a bar in the left margin. Update to role and responsibility titles and Safety Override Risk Assessment (SORA) attendee requirements. In the event of a conflict between this document and a relevant law or regulation. • • • • • • • • • • •  Due to extensive changes to this STP. 2 6 Dec 2012 . Bizflow Control System Change Request (CSCR). Specified Authority. Added definitions for Basic Process Control System (BPCS). as a minimum. If the document creates a higher obligation. Clarification on timing of Management of Change (MOC) requirements. This document and any data or information generated from its use are classified.Override/Bypass Control Foreword This is a revised issue of Site Technical Practice (STP) DWGOM GP 30‑0130. Added override/bypass procedure requirements for Hazard Operability (HAZOP)/Layer of Protection Analysis (LOPA) Study-identified Safety Related Alarms (SRAs) and Basic Process Control System (BPCS) control loop Independent Protection Layers (IPLs). SRA and IPL. it shall be followed as long as this also achieves full compliance with the law or regulation. Added Audit Requirements (2011 OMS audit action) Updated documentation to be reviewed during weekly Specified Authority Audit. Corrected override/bypass application flow chart. the relevant law or regulation shall be followed. Provided guidance on when SORAs should be refreshed. None of the information contained in this document shall be disclosed outside the recipient's own organization. Page 3 of 26 DWGOM GP 30‑0130 Rev. Update on weekly Specified Authority audit requirements (2011 OMS audit action). unless the terms of such agreement or contract expressly allow. Distribution is intended for BP authorized recipients only. Added three year requirement to conduct an audit of the implementation effectiveness of STP DWGOM GP 30-0130 (2011 OMS audit action). Deleted the Facility Specialist role and added these roles and responsibilities to the Specified Authority role. Updated examples of safety function bypasses. All rights reserved. Copyright © 2012 BP International Ltd. This Site Technical Practice (STP) incorporates the following changes: • • • • • Added references to related Code of Federal Regulations (CFR). Updated linkage from IM to OMS requirement. as is normal practice. or unless disclosure is required by law. Clarification on approval requirements for extending SORAs beyond SORA-identified bypass duration. The information contained in this document is subject to the terms and conditions of the agreement or contract under which this document was supplied to the recipient's organization.

Only the minimum number of safety devices shall be taken out of service. 2 6 Dec 2012 . Page 4 of 26 DWGOM GP 30‑0130 Rev. However.803(c) (1) and 30 CFR 250.1004 (c). Any surface or subsurface safety device which is temporarily out of service shall be flagged. As such any user may at any time identify an error or suggest an improvement from the Technical Authority.803(c)(1) “Surface or subsurface safety devices shall not be bypassed or blocked out of service unless they are temporarily out of service for startup. The safety equipment shall be identified by the placement of a sign on the equipment stating that the equipment is rendered ineffective or removed from service.1004(c) “If the required safety equipment is rendered ineffective or removed from service on pipelines which are continued in operation. Personnel shall monitor the bypassed or blocked-out functions until the safety devices are placed back in service. and if found to be a deliberate violation. the document control system allows for continuous update of this document.Override/Bypass Control Introduction This guidance is provided to ensure that all field personnel comply with the regulations as found at 30 CFR 250. an equivalent degree of safety shall be provided. maintenance or testing procedures. however. Regulatory INCs issued against these regulations could result in significant civil penalties.” 30 CFR 250. could escalate into a criminal violation. of greater concern is the potential negative ramifications of the safety and health of our personnel.” Review and Update This document has been subjected to a number of operational and instrumentation technical peer reviews and is subject to a 3-year review and update. 30 CFR 250.

The SIS requirements of OMS Sub-element 3. c. Reviewing of the records. Bizflow Control System Change Request Ensures that the management and modification of systems is performed in a safe and effective manner. only the edition cited applies.Override/Bypass Control 1 Scope a. This STP is in accordance with BP Engineering Technical Practices (ETPs) on safety instrumented systems (SIS) overrides and refers to GP 30-81 for detailed guidance. 2. 2. Logging requirements.Operations and Maintenance For dated references. b. d. 6. Page 5 of 26 DWGOM GP 30‑0130 Rev. 7. transparency of process. the following terms and definitions apply: Basic Process Control System BPCS consists of a combination of sensors. The objective of the STP is to ensure all GoM sites have unified safety practices that will provide control. Start-up Overrides. the STP also conforms to: 1. be required for full compliance with this STP: • • BP GP 30-81 Safety Instrumented Systems . Categorization of overrides/bypasses. 3 Terms and definitions For the purpose of this STP. 2 Normative references The following referenced documents may. In meeting this requirement. and management of risk. Definition of override/bypass. process controllers and final control elements which automatically regulate the process within normal production limits. either hardware or software. the latest edition (including any amendments) applies. 9.3. Time limits. 3. logic solvers. Process Safety The GoM Safe Practices Manual . This STP provides expectations and guidance on all aspects of override/bypass control. For undated references. to the extent specified in subsequent clauses and normative annexes. 4. authorization and approval. These aspects include: 1. Documentation is required for any change that constitutes an alteration to a PES. 5. 8. 2 6 Dec 2012 . This STP is based on international standards IEC 61511. Acknowledgement. Roles and Responsibilities Risk assessment (SORA).

Rig Superintendent).g. 2 6 Dec 2012 . Drilling Contractor Rig Manager Drilling Contractors onsite person in charge (e. IL 1 and higher Any Instrumented function that has been identified in the risk assessment (HAZOP/LOPA) as a required protection layer. pre-determined frequency. IL 0 or IL A Any instrumented function that is designed to protect equipment but has not been identified in the risk assessment (HAZOP/LOPA) as a required protection layer. undesirable endpoint. Commercial Integrity Level Discrete level for specifying commercial integrity requirements of commercial function allocated to safety instrumented systems (SIS). Offshore Production Manager or Well Site Leader Out of Service Safety override that is used for equipment that is isolated and not functional for maintenance purposes. Tool Pusher.. offsite personnel. Offshore Facility Manager Offshore Installation Manager. Non-routine Any task not performed at a regular. Integrity Level More general description than safety integrity level (SIL). Override is used to prevent a safety function from operating. environmental issues and commercial issues. referring to highest integrity level (IL) required for safety of onsite personnel. Override The temporary bypass of a safety function or IPL to allow certain work to proceed without causing an unnecessary process shutdown or alarms. Environmental Integrity Level Discrete level for specifying environmental integrity requirements of environmental functions allocated to SIS. Layer of Protection Analysis Semi-quantitative method to assess adequacy of protection layers and determine performance requirements for SIS. An IPL is independent of all other protection layers associated with identified potentially hazardous event. Independent Protection Layer A device or system that is capable of preventing a postulated accident sequence from proceeding to a defined.Override/Bypass Control Bypass Bypasses perform the same function as an override. Safety Related Alarm An alarm that is identified as an IPL during HAZOP/LOPA and is independent of any BPCS control loop claimed as an IPL. Page 6 of 26 DWGOM GP 30‑0130 Rev.

Drilling Chief Electrician. Drilling Contractor Rig Manager 4 Symbols and abbreviations For the purpose of this STP. SILs for SIS operating in demand mode are defined in terms of probability of failure on demand (PFD). Shift Technician Control Room Operator. This role can be filled by the following positions: Production Team Lead.Override/Bypass Control Safety Instrumented Function A safety function that is implemented by an SIS which is intended to achieve or maintain a safe state for the process with respect to a specific hazardous event. Marine Team Lead. It is used in both ANSI/ISA-S84. Ventilation and Air Conditioning Instrument.01 and IEC 61508 to measure the reliability of SIS. Drilling Maintenance Supervisor. Maintenance Team Lead. the following symbols and abbreviations apply: BPCS BSL CIL CRO CSCR EIL ESD FSHL HAZOP HMI HREP HVAC ICE Basic Process Control System Burner Safety Low Commercial Integrity Level Control Room Operator (Bizflow) Control System Change Request Environmental Integrity Level Emergency Shutdown Flow Safety High/Low Hazard and Operability (Study) Human Machine Interface Hazard and Risk Evaluation Plans Heating. Ballast Control Operator Specified Authority Individual or individuals assigned by the Offshore Facilities Manager to act as the Authority over all overrides and bypasses for the Facility or Drilling Rig. Electrical Engineer Page 7 of 26 DWGOM GP 30‑0130 Rev. Safety Instrumented System A system that implements multiple Safety Instrumented Functions (SIFs) to protect an operating process. The system is composed of any combination of input sensors. logic solvers and final output elements that work in concert to detect hazards and bring the process to a safe state. Safety Integrity Level A statistical representation of the reliability of the SIS when a process demand occurs. 2 6 Dec 2012 . Control. Drilling Electronic Technician. The function also provides a defined level of risk reduction or IL for a specific hazard by automatic action using instrumentation.

Quality assessment of the Specified Authority weekly audits and documentation.Incidents of Non-Compliance Independent Protection Layer Layer of Protection Analysis Level Safety High/Low Management of Change Offshore Facility Manager Offshore Personnel Risk Assessment Programmable Electronic Systems Probability of Failure on Demand Pressure Safety High/Low Process Safety Risk Engineer Pressure Safety Valve Surface Controlled Subsurface Safety Valves Shutdown valve Safety Instrumented Function Safety Integrity Level Safety Instrumented System Safety Override Risk Assessment Safety Related Alarm Surface Safety Valves Temperature Safety Element Temperature Safety High/Low Zone Management System 5 Audit requirements a. 2 6 Dec 2012 .Override/Bypass Control IL INC IPL LOPA LSHL MOC OFM OPRA PES PFD PSHL PSRE PSV SCSSV SDV SIF SIL SIS SORA SRA SSV TSE TSHL ZMS Integrity Level Regulatory . An audit to assess each HUBs implementation effectiveness of this STP shall be conducted every 3 years with more frequent audits based on audit findings and will include but not limited to: 1. Page 8 of 26 DWGOM GP 30‑0130 Rev.

Is responsible for assuring that an individual or individuals are assigned the role of Specified Authority. Review of currently overridden/bypassed instrumented and non-instrumented safety functions (electronic report and/or hard copy log). 2 6 Dec 2012 .1. Field verification of active SORAs. 8.1 6.2 Specified Authority An individual or individuals assigned by the Offshore Facilities Manager to act as the Authority over all Overrides and Bypasses for the Facility. b. Coordinates the shift team to create a new SORA if a SORA is unavailable for the task at hand. as available or in place at the time of the audit. Is responsible for conducting a weekly operations review of the outstanding overrides. Authorizes the use of a temporary SORA.1. 6. Review of a representative sample equal to two months of bypass logs and shift change sign off. Reviews and acknowledge all outstanding overrides at the start of each shift day.1 Operations responsibilities Offshore Facility Manager Offshore Installation Manager or Offshore Operations Superintendent: a. Page 9 of 26 DWGOM GP 30‑0130 Rev. This role can be assigned to the Operations Engineer. 6 Organization. d. 3. 7. c. Is responsible for the logbook and the authority over all overrides that occur throughout their shift. The sample size of the documentation reviewed shall include a representative sample equal to or greater than two months of information since the last audit. b. f. d. b. 4.Override/Bypass Control 2. Review 15% of SORAs for instrumented and non-instrumented safety function bypasses. Review of the representative sample equal to two months of altered valve list documentation. c. e. Authorizes the use of a bypass for more than one week. Revalidates an authorized SORA for reuse is the SORA is updated. roles. 5. with Specified Authority and approves the outcome. Review of a representative sample equal to two months of overridden/bypassed instrumented and non-instrumented safety function activity (electronic report and/or hard copy log). and responsibilities The following provides a summary of the responsibility assigned to a specific role. Is responsible for the overall control of overrides/bypasses in accordance to safety and technical guidelines. Production Team Lead or Maintenance Team Lead or Marine Team Lead a. 6. Individual’s knowledge of the specific role and responsibility he/she is assigned. 6. Ensures that the overrides are reviewed as part of the weekly Operations meeting.

Ensures that the overrides are reviewed as part of the weekly drill rig meeting.3 Ensures that all records are detailed and informative. with Drilling Contractor Rig Manager and approves the outcome.2 Specified Authority An individual or individuals assigned by the Offshore Facilities Manager to act as the Authority over all Overrides and Bypasses for the Drill Rig. Revalidates an authorized drill rig SORA for reuse if the SORA is updated. Reviews and acknowledges all outstanding overrides. c. Page 10 of 26 DWGOM GP 30‑0130 Rev. b. f. 6. Coordinates with the shift team to create a new SORA if a SORA is unavailable for the task at hand. 6. Conducts a weekly drill rig review of the outstanding overrides.Override/Bypass Control e. Is responsible for the logbook and the authority over all overrides that occur throughout their shift. Ensures that SORAs are refreshed in cadence with HAZOP/LOPA revalidation. and or Drilling Maintenance Supervisor: a. d. Informs the Offshore Installation Manager of drill rig overrides/bypasses. Ensures that the override logbook is kept promptly up to date. b. Ensures that all records are detailed and informative. 2 6 Dec 2012 . Authorizes the use of a temporary drill rig SORA. during the shift handover. c. f. b. Shift Technician Control Room Operator or Ballast Control Operator: a. that the records are informative and detailed. e. Reviews and acknowledges all outstanding overrides/bypasses at the start of each shift day. Is responsible for the overall control of drilling overrides/bypasses in accordance with safety and technical guidelines. d. during the shift handover.2.1. Authorizes the use of a drill rig bypass for more than one week. that the records are informative and detailed. b.2.1 Drilling responsibilities for BP-managed drilling facilities Offshore Facility Manager The Well Site Leader: a. Ensures that the override logbook is kept promptly up to date. This role can be assigned to the Drilling Contractor Rig Manager a.2 6. Reviews and acknowledges all outstanding overrides. and their associated risk assessments.3 Shift Technician The Drilling Chief Electrician and/or Drilling Electronic Technician. 6.2. e. 6. and their associated risk assessments.

2 6 Dec 2012 . 17. such as self-cancelling start-up overrides/bypasses or dedicated mode-change hand switches are provided. environmental and commercial bypassing. including loss of operating permit. 10. Application of any override/bypass to any SIF with an IL of 1 or greater may be considered similar to the isolation of a safety relief valve. Flow Safety High/Low (FSHL). Shutdown Valves (SDV). Basic Process Control System (BPCS) control loops that are identified as IPLs in HAZOP/LOPA and put in manual mode. Fire Detector. g. 12. Level Safety High/Low (LSHL). This procedure does not apply to SIS inputs where specific operational facilities. TSE. e. Application of an override/bypass to an SIF with a specified (1 or greater) EIL can lead to serious consequences. 6. d. 8. Burner Safety Low (BSL). which would prevent a safety function from operating on demand.1 Introduction Instrumented safety functions a. The application of an override/bypass to a safety instrument system (SIS) prevents that safety instrumented function (SIF) from acting on demand.. Temperature Safety High/Low (TSHL). 9. and where the use of these facilities is covered adequately within the plant operating instructions which have been adequately risk assessed (e. 7. Blocking the view of ‘line of sight’ fire and gas detection device. Safety Related Alarms (SRAs) which are identified as IPLs in HAZOP/LOPA and disabled from the human-machine interface (HMI). Pressure Safety High/Low (PSHL). This document identifies those circumstances under which overrides/bypasses may be permitted and provides a procedure for controlling this operation. f. Surface Safety Valves (SSV). Examples of safety instrumented functions may include but are not limited to the following: 1. 3. 14. HAZOP). Safety Shutdown Group. 15. and there will be an increased risk during the time the override/bypass is applied. b. 16. Page 11 of 26 DWGOM GP 30‑0130 Rev.Override/Bypass Control 7 7. There are potential serious commercial implications for application of overrides/bypasses to safety instrumented functions with specified CILs. 4. 5. Surface Controlled Subsurface Safety Valves (SCSSV). Gas Detector. c. Temporary wired links. 2.g. 11. This document applies to all reasons for safety. ESD initiating and ESD end element devices. 13.

Navigational Aids. Pneumatic jumper lines. Block valves under PSV. Fire Detection Systems.3 Methods used for bypassing safety functions Examples of methods used for bypassing safety functions include: a.2 Non-instrumented safety functions a.Override/Bypass Control 7. 7. 10. This procedure applies to non-Instrumented safety functions that are defined as protective functions. 13. Electrical jumper lines. Pneumatic relay chocks. Electrical leads disconnect for power supply (navigation aids). q. Machinery Overspeed. Building Pressurization Systems (Heating. 15. n. e. 5. 8. Packaged Equipment Out of Service. i. Sensing line selector valves for PSHL testing. p. ventilation and air conditioning [HVAC]). AFI – Always False Instruction) Local panel . Fire Water Systems. Local control panel ‘Bypass’/‘In-Service’ selector valves. 14. m. 6. j. Blowdown and Flare Systems. 9.e. d. f. 4. Examples may include but are not limited to the following: 1. 7. Ballast Systems Safety Elements. Mooring Systems Safety Elements. Hand/off/automatic switch (fire water pump). 2. l. Isolation valves for SCSSV. Isolation valves on level safety bridles. h. 3. Forced safety system logic (i. 12. Emergency Communications Systems. HMI – safety bypasses/override/out-of-service switches. Page 12 of 26 DWGOM GP 30‑0130 Rev. Gas Detection Systems. c. Emergency Lighting. Pinned pneumatic or hydraulic safety relay.safety bypass/override switches/out-of-service switches. 2 6 Dec 2012 . Pressure Safety Valve (PSV). k. Vacuum Breakers. Isolation valves on pressure safety instruments Three way valve on SSV/SDV/BDV (trapped pressure). g. 11. Plugged bleed ports. o. b. Rupture Disk. b.

Planned overrides fall into three categories. 9 Eligibility for overrides/bypasses a. Use the SORA for all cases. e. The responsibility for the safety overrides/bypasses (including those for maintenance purposes) shall be assigned to a Specified Authority. h. BPCS control loop IPLs placed in manual for greater than one week require Specified Authority. SORAs should be included in the Hazard and Risk Evaluation Plans (HREP) for the asset. A SORA may also be generated for specific maintenance routines. Altered valve. Safety functions requiring override/bypass or disabling for periods in excess of one week shall be subject to the full Management of Change (MOC) approval process. g. t. SCSSV hydraulic supply Block valve). Bypasses in place for greater than one week require Specified Authority. SSV fusible caps. i. the implications of doing so shall be fully understood. This document applies where there is a need for override/bypass or disabling of applications involving safety. When multiple bypasses are in place. OFM and MOC approvals. The Safety Override Risk Assessment (SORA) is a decision support process intended to provide clear guidance where it is permitted to apply overrides/bypasses without further approval. f.Override/Bypass Control r. d. b. Integrity rated instrumented safety function IL bypasses (IL 1 and above) or Nonintegrity rated instrumented safety function bypass (IL 0 or IL A): a) b) 2. j. commercial or environmental risk. c. SORAs shall be refreshed in cadence with HAZOP/LOPA revalidation. u. The intent is to avoid a combination of bypasses that could lead to an undesirable event.. the risk assessment may be used multiple times. Fusible caps on SSV.g. 8 Basic principles a. 1. Valve Jammers (e. Plumbers plug (deck drains). OFM and MOC approvals. All SORAs shall be reviewed when changes are made to the process that could impact the assumptions of the SORA. HAZOP/LOPA identified BPCS control loop and Safety Related Alarm (SRA) Independent Protection Layers: a) b) Use the SORA for all cases. s. b. This SORA shall refer to the original SORA for each override/bypass. Petroval lock stops. After a SORA is approved and recorded. The Specified Authority has ultimate responsibility for the current status of any overrides/bypasses. 2 6 Dec 2012 . and adequate additional measures shall be applied to reduce the consequential risk of operating without automatic protection. Page 13 of 26 DWGOM GP 30‑0130 Rev. Before any override/bypass is applied. the risk of having these in effect simultaneously shall be assessed.

Non-Instrumented Safety Functions: a) b) c. These adjustments are not considered a hazardous operation. and document the reason for the extension. 2 6 Dec 2012 b. The resultant SORA shall be recorded on a suitable form. Use the SORA for all cases. Process Engineer for PSV SORAs and ICE Engineer for Instrumented System SORAs. An example of such a form is shown as Table 1. a specific risk assessment should be carried out for each safety instrumented system override/bypass.Override/Bypass Control c) 3. For PSVs/PSEs. Identify situations where it may be necessary to apply the override/bypass. 3. OFM and MOC approvals. 7. the following shall apply: 1. Specify whether any further actions need to be taken. The SORA shall be led by the Specified Authority or designated equivalent responsible person. This is essentially when the piece of equipment is placed in maintenance override which bypasses the ZMS. d. Attendees shall include Process Safety Risk Engineer (PSRE) for all SORAs. Identify the cumulative impact and risk of applying this override/bypass in addition to any other related overrides/bypasses that may already be applied. OFM and MOC approvals. 2. Rather than rely on the decision of an individual authority. 2. 10 Safety Override Risk Assessment a. If this duration is exceeded. Page 14 of 26 DWGOM GP 30‑0130 Rev. A SORA shall be carried out before the application of an override/bypass (see example Table 1). Identify the consequence and risk associated with the failure of the Safety Function to act on demand through the application of that particular override/bypass (information is available in OPRA and LOPA documentation). 5. Any override which causes the Zone Management System (ZMS) to be locked out can only be done after review and approval by the Drilling Contractor Rig Manager. The CSCR process shall be used for approval and documentation of this process. duration and removal of the override/bypass for instrumented safety functions. a SORA is not required if there is a redundant 100% PSV/PSE in service or if the device does not have an isolation valve. who will enlist the help of expert assistance as required. Identify any measures or actions that may be taken to reduce the risk to an acceptable level when the override/bypass is applied. These slight adjustments are required to overcome the effects of wind and vessel motion on the tools as they operate within the control of the ZMS. These overrides are simply slight positional adjustments that are done within the normal safe operational range of the tools and under the protection and control of the ZMS. the Specified Authority shall review the SORA. 6. For drilling automated pipe handling systems. Normal operational positional overrides which do not violate the control and protection of the ZMS are permitted. . Safety Related Alarms in disabled mode for greater than one week require Specified Authority. The objective of the exercise shall be to: 1. 4. Bypasses in place for greater than one week require Specified Authority. Specify the maximum duration for which an override/bypass may be applied. Identify the consequence and risk of a spurious trip during the application.

. the terms of Clause 10b. The Lock Out/Tag Out system shall be used for control of local override/bypass switches and valve jammers. process engineer and CRO.Override/Bypass Control c. The integrity rating of Safety instrumented Overrides/Bypasses which have a rating of IL 1 or higher shall be clearly and unambiguously identified as such on the HMI graphic so the operator is clear on the IL of the safety function before it is put in bypass. In cases where more than one predefined SORA is being applied. (A suitable form is shown in Table 1. Specified Authority . or it may be accessible through the HMI (a suggested example is shown in Table 2 and Table 3) which is to be available in the control room and/or Rig Manager’s office for easy reference. 2. added to the facility SORA file (see flow chart Figure 1). 5. 4. the SORAs shall be indexed and filed in a file system. f. 7. In an urgent situation when a suitable SORA cannot be located.) Authorization levels shall be decided locally and may typically be as follows: 1. in conjunction with the Lead Tech (or equivalent). g. Page 15 of 26 DWGOM GP 30‑0130 Rev.Endorses Assessment. 11 Control of overrides/bypasses a. Where valve ‘jammers’ are fitted to permit online proof testing on valves that form part of a high integrity SIF. Eligibility for overrides/bypasses. 2 6 Dec 2012 b. 2. OFM . the following questions should be answered: 1. The SORA should be carried out as an off-line activity. e. c. I&C engineer. d. f. The results of the assessment shall be recorded and authorized. Following completion. 6.2 applies. e. at the earliest opportunity to avoid having to make such important judgments when under stress or at periods of high activity. This ‘urgent situation’ SORA shall then be formally reviewed at the earliest opportunity by the Specified Authority and OFM and if appropriate. When developing the SORA. What process variable is to be monitored? What device will be used to monitor the process variable? How will the process be controlled? What assurance will be performed to ensure the equipment used to monitor and control is operating properly? At what point is response required to prevent an undesirable event? Is there adequate time to respond to prevent an undesirable event? Will the mitigation measures identified provide an equivalent degree of safety? d. Following a whole system review. Each facility shall utilize this STP as the procedure for guidance on the process to apply an override/bypass to safety functions. The SORA development and refresh team should include roles such as PSRE. the above process shall still be followed with the Operations Tech (or equivalent) endorsing the assessment. a completed SORA shall be available for each override/bypass as called out in Section 9. HAZOP/LOPA identified BPCS control loop and SRA IPLs shall be clearly and unambiguously identified as such on the HMI graphic so the operator is clear on the IL of the safety function before it is put in bypass.Carries out the Assessment with assistance from others. 3. Technicians shall be trained on the significance of the IL rating and shall understand the procedures to be followed when applying an override/bypass. these shall also be considered to be overrides/bypasses.

b. however. as they have been specifically designed and reviewed during the design of the unit and during development and approval of the operating procedures. The audit shall include comparison between the override/bypass electronic report and/or log sheet and the actual state of the override/bypass safety function. then the start-up overrides shall comply with this STP in its entirety. The number of times bypasses require SORA time extension approval through the CSCR process. Technicians may only authorize the application of overrides/bypasses within the scope of the SORA. The application of overrides/bypasses for testing or maintenance purposes shall be reviewed in conjunction with the SORA and any special observations shall be specified within the maintenance procedure or method statement. 1.Override/Bypass Control h. (A suggested log sheet is shown in Table 2. The application of any override/bypass shall be recorded using a log sheet.) The Shift Technician shall acknowledge and accept any currently applied overrides/bypasses when they commence their shift using the log sheet. efforts shall be made to minimize this duration. 12 Start-up overrides a. Any ‘urgent situation’ SORAs that have been raised shall be reviewed and any outstanding overrides/bypasses shall be challenged. The control of overrides/bypasses for maintenance purposes remains with the Shift Technician and even if not involved directly he/she shall be advised on the application and removal of any local or HMI initiated override/bypass. and typically. j.g. (A suggested sign off sheet is shown in Table 3. A start-up override needs to be removed as soon as possible. MOCs for overrides/bypasses that have been in bypass for over one week. Current listing of overrides/bypasses (electronic report and/or hard copy log). d. HAZOP). Documentation to be reviewed during the weekly audit shall include: a) b) c) d) e) f) 2. These procedures shall have been adequately risk assessed (e. i. k. The general procedure for applying a safety override is illustrated by the flow chart Figure 1. c. The Specified Authority for overrides/bypasses shall carry out an audit at least weekly of override/bypass status. Start-up overrides with automatic resets are not required to be controlled under this STP.) These bypasses are manually or electronically tracked and the bypass log shall be generated each shift. this should be done automatically. If any start-up override is required on a unit that already has additional (non-startup related) overrides applied.. Altered valve listing of all valves that are in an altered position. Page 16 of 26 DWGOM GP 30‑0130 Rev. SORAs for instrumented and non-instrumented safety function that are currently in bypass or were put in or taken out of bypass over the previous week. Start-up overrides with manual resets do not require any risk assessment. Documentation and validity of overrides on isolated non-operational plant safety functions. A start-up override is a defeat that is identified within the operator’s start-up procedure. The maximum permissible duration of override/bypass application is stated in the SORA. which is required to enable the unit to be started. 2 6 Dec 2012 . (A suggested process graphic and SORA display are shown in Figure 2 and Figure 3). but they shall be recorded in the override logbook.

The hazard identification and mitigation shall reflect this operational condition. low flows).’ and no additional action shall be taken. low pressures. the risk associated to the override shall be managed as follows: 1. A SORA shall be required for all integrity rated overrides. 2. during this period the function controlling. In some cases.Override/Bypass Control 13 Overrides on isolated non-operational plant a. the hazard that the instrument function is protecting against may no longer exist. During this period of plant isolation. Therefore. the process condition shall state that the plant is positively isolated. In these cases the override(s) are applied to prevent the shutdown of the operational plant caused by process parameters that are normal during isolation but undesired when operational (e. Page 17 of 26 DWGOM GP 30‑0130 Rev.. b. 2 6 Dec 2012 . however. The ‘Isolation Number’ shall be recorded against each affected override on the override log. low levels. overrides are applied to plant areas. These overrides shall not be counted as ‘Long-term Overrides. 3. and the time period for which the override will be applied.g. trains and units that may be positively isolated for long periods of time. or the risk is significantly reduced.

of input/output) Descriptor: Integrity Level: Method of Override: Environment Commercial Facility: Safe Chart Reference: Safety Integrity Basis: (Identify highest overall requirement) Hazard(s) of Applying Override/Bypass: (What are the consequences if this safety function fails to act on demand? Information is available in OPRA and LOPA) Hazard(s) from Spurious Trip if applicable: (For instrumented safety functions. Page 18 of 26 DWGOM GP 30‑0130 Rev.) Lead Tech/Engineer: Name: Specified Authority: Name: Offshore Facility Manager: Name: Date: Date: Date: Note: A paper filing system or an online database can be utilized to fill the form and maintain the above SORA data. the override/bypass of this safety function is classed as: Acceptable Unacceptable Maximum Duration of Override/Bypass Allowed: _______ Observations or Comments: Maintenance Testing Start-up Only Assessment Carried out by: Date: (Specified Authority or equivalent and attendees)(Attendees shall include PSRE for all. at what point is response required to prevent an undesirable event. The asset has the option of maintaining the SORA data as hard copy or importing the SORA data into the Control System to display key SORA data as a pop up from the HMI screen when bypasses are to be implemented. identify the consequence and risk of a spurious trip during the bypass/override state?) Reason{s) for Applying Override/Bypass: (Maintenance.Safety Override Risk Assessment form Tag Identification of Device: (Specify tag no. 2 6 Dec 2012 . Refer to Figure 2 and Figure 3. is there adequate time to respond to prevent an undesirable event while overridden/bypassed?) Considering the level of risk and the potential for mitigation. fault diagnostics. Process Engineer for PSVs and ICE Engineer for instrumented systems. Note: start-up overrides/bypasses normally provided for process operations) Mitigation: (What process variable should be monitored. how will the process be controlled.Override/Bypass Control Table 1 . etc. testing. what device is used to monitor the process variable.

2 6 Dec 2012 .Safety override/bypass application flow chart Page 19 of 26 DWGOM GP 30‑0130 Rev.Override/Bypass Control Figure 1 .

2.Override/Bypass Control Table 2 . Page 20 of 26 DWGOM GP 30‑0130 Rev. For Non-HMI bypasses a hard copy shall be maintained in the control room and/or Rig Manager’s office for two years.Safety override/bypass log Facility: Tag Number ____________________ Description Applied by Date Time Time In Bypass Duration SORA Permitted Bypass Duration Note: 1. For HMI overrides the SIS override/bypass log shall be stored and maintained (either hard copy in the control room and/or Rig Manager’s office or electronically in the control system) for two years for safety function bypasses. 2 6 Dec 2012 .

This override/bypass log shall be stored and maintained for two years either as hard copy or in the Control System Day-shift Technician: Date Name Signature Night-shift Technician: Date Name Signature Page 21 of 26 DWGOM GP 30‑0130 Rev.Override/Bypass Control Table 3 .Safety override/bypass shift change log Facility: ____________________ By signing below. 2 6 Dec 2012 . all signatories confirm acceptance of the outstanding or no outstanding overrides/bypasses listed on the end of shift bypass report/log.

2 6 Dec 2012 .Sample HMI detail for SORA review Page 22 of 26 DWGOM GP 30‑0130 Rev.Override/Bypass Control Figure 2 .

2 6 Dec 2012 .Override/Bypass Control Figure 3 .Sample SORA for PSV Testing Page 23 of 26 DWGOM GP 30‑0130 Rev.

Override/Bypass Control Figure 4 .Sample SORA for PSV Maintenance Page 24 of 26 DWGOM GP 30‑0130 Rev. 2 6 Dec 2012 .

2 6 Dec 2012 .Override/Bypass Control Figure 5 .Sample SORA for Instrumented Function Page 25 of 26 DWGOM GP 30‑0130 Rev.

Additional production system requirements [5] 30 CFR 250.1004.Safety instrumented systems for the process industry sector Page 26 of 26 DWGOM GP 30‑0130 Rev.Override/Bypass Control Bibliography BP [1] OMS Sub-element 3. 2 6 Dec 2012 .3.01. Process Safety [2] GP 30-81. Application of Safety Instrumented Systems for the Process Industries Code of Federal Regulations (CFR) [4] 30 CFR 250. SIS Operations and Maintenance American National Standards Institute (ANSI) [3] ANSI/ISA-S84. Functional safety . Functional safety of electrical/electronic/programmable electronic safety-related systems [7] IEC 61511. Safety equipment requirements for DOI pipelines International Electrotechnical Commission (IEC) [6] IEC 61508.803.