DEPT Doc # Page 1 of 16

Operation PRO-03-30

Owner Date Revision

DEFEAT OF SAFETY CRITICAL Operation Manager 30/08/2016 2
SYSTEMS

DOCUMENT COVER SHEET

 DEPT Doc # Page 2 of 16
Operation PRO-03-30

Owner Date Revision

DEFEAT OF SAFETY CRITICAL Operation Manager 30/08/2016 2
SYSTEMS

TABLE OF CONTENT

COVER PAGE 1
TABLE OF CONTENT 2
1. PURPOSE 3
2. SCOPE 3
3. SAFETY CRITICAL EQUIPMENT 4
4. RESPONSIBILTIES AND AUTHORIZATION 5
5. PERIOD OF DEFEAT 7
6. TERMINAL PROCEDURE 7
7. TRAINING 12
8. REFERENCES 12
9. Workflow for Defeat of Safety Critical Equipment 13
 DEPT Doc # Page 3 of 16
Operation PRO-03-30

Owner Date Revision

DEFEAT OF SAFETY CRITICAL Operation Manager 30/08/2016 2
SYSTEMS

1.0 PURPOSE
This document describes the general procedures and definition of Defeat of
Safety Critical Equipment.

2.0 SCOPE
This procedure is intended to

a. Establish and maintain control over the process of defeat of Safety Critical
Equipment
b. Ensure that safe Operational control is maintained while any Safety Critical
Equipment is defeated or out of service.

Defeating a Safety Critical Equipment is the action of taking that device out of
service for a period of time. A request for defeat of Safety Critical Equipment is
needed when:

 Check operations of the device

 Carry out maintenance on the device (preventive / corrective)
 To allow continued Operations in the event of a device malfunction

Therefore, as long as a Safety Critical Equipment’s “Protective, Safety Function”

is not able to function satisfactorily in its process loop, even though the
equipment is still present, a request must be raised.
 DEPT Doc # Page 4 of 16
Operation PRO-03-30

Owner Date Revision

DEFEAT OF SAFETY CRITICAL Operation Manager 30/08/2016 2
SYSTEMS

Consideration must also be given if this Safety Critical Equipment defeat affects
related process loops.

Defeating a device should normally be under suspended Operations

circumstances and for the shortest duration possible, so that the safety feature is
in service as much as possible.
Terminals are required to have an Operational, documented and auditable
system in place to control this process.

3.0 SAFETY CRITICAL EQUIPMENT

Selection of Safety Critical Equipment is critical, they are in place to:

• Prevent a major process accident

• Mitigate the results of a loss of containment
• Indicate / alarm in the presence of hazardous environment / condition.

A major process accident is one, which results in a threat to life or the

environment inside or outside the terminal or significant damage to facility.
Generally a safety critical device is the last line of defense to maintain the safety
of the Operations or process equipment.

3.1 LIST OF SAFETY CRITICAL EQUIPMENT

For this process to be effective, each terminal shall establish and maintain a list
of Safety Critical Equipment. The list must be formally approved by the Terminal
 DEPT Doc # Page 5 of 16
Operation PRO-03-30

Owner Date Revision

DEFEAT OF SAFETY CRITICAL Operation Manager 30/08/2016 2
SYSTEMS

Manager and any subsequent changes (set points, control logic steps) to the list
shall be subject to Management of Change procedures.
Following are the list of safety critical systems agreed for VTKN:

 Roof Vent on top of tanks

 UPS in server room
 Gear pump High pressure switch
 Radio communication system
 Grounding Systems (Earth pits, Earth strips, earthing clamps)
 Diesel Generators
 Boiler Protection System, PRV, PSV
 HT Yard, VCB, Transformer and all electrical Panels, and protection
relays
 Hooter/ alarm at main gate
 Compressor Safety interlocks

4.0 RESPONSIBILITIES AND AUTHORISATION

4.1 Responsibilities

The Manager Operations is responsible to ensure proper implementation and

execution of this procedure.
 DEPT Doc # Page 6 of 16
Operation PRO-03-30

Owner Date Revision

DEFEAT OF SAFETY CRITICAL Operation Manager 30/08/2016 2
SYSTEMS

The Sr. Engineer Electrical is responsible to develop and maintain the list of
safety critical equipment in the Terminal, and responsible for ensuring that
relevant inspection, maintenance and operational procedures properly consider
the use, maintenance and defeat of this equipment. He is also responsible to
communicate this Safety Critical Equipment list (and any changes) to all
personnel in Operations, Maintenance, SHE departments and contractors (if
necessary). This is to ensure such equipment is not unknowingly defeated
without the proper authorization.

The risk of continue operations during the period of defeat must be assessed and
additional precautions must demonstrate that the risk has been reduced to an
acceptable level.

The Executive Ops team and Shift Leaders are responsible to ensure that
“Defeat Equipment communication” is properly carried out during shift change.
Shift leader is the defeat coordinator for better implementation of DSCE
procedure on ground. It is responsibility of Operation manager or in his absence
shift leader to track the status of the defeat from initiation to closure.
 DEPT Doc # Page 7 of 16
Operation PRO-03-30

Owner Date Revision

DEFEAT OF SAFETY CRITICAL Operation Manager 30/08/2016 2
SYSTEMS

4.2 Authorization
Defeat Of Safety Critical Equipment- Authorities

Department Defeat Requester Defeat Custodian Defeat Authorizer Defeat Acknowledger

1.Hemant Rangwani 1.Hemant Rangwani 1.Chirag Vithlani 1.Hemant Rangwani
2. Paramaswamy.P 2. Paramaswamy N.B- In his absence in 2. Paramaswamy.p
line Incharge
Operation Hemant Rangwani

1.Mayur Chudasama 1.Mayur Chudasama 1.Chirag Vithlani 1.Mayur Chudasama

2.Hari Barad 2.Hari Barad (In his absence in line 2.Hari Barad
3.Aadarsh Shrivastava 3.Aadarsh Srivastava charge) 3.Aadarsh Shrivastava
Maintenance
2.Hemant Rangwani
 DEPT Doc # Page 8 of 16
Operation PRO-03-30

Owner Date Revision

DEFEAT OF SAFETY CRITICAL Operation Manager 30/08/2016 2
SYSTEMS

4.2.1 Authorization to request defeat of a safety critical device or system

The custodian of the equipment (Maintenance, SHE or Operations Departments)

is authorized to request defeat of a safety critical device or system. If the
requestor is not the custodian of the equipment, notifications must be done.
When necessary, it is the responsibility of the Maintenance Department to
formally request or to advise SHE or Operations Departments when a defeat is
necessary due to a system defect.
For some equipment, subject to legal inspection and maintenance regimes such
as pressure vessels and lifting equipment, the terminal must authorize the defeat
if the responsible engineer declares that the system has to be taken out of
service for remedial work.

Authorization to defeat a safety critical device or system

Only the Manager Operations (or pre-appointed designate) is authorized to

approve the defeat of a safety critical device or system. This can be done with
appropriate consultation from the Terminal Management Team. Pre-appointed
designate may authorize defeat if Manager Operations is not available.

4.2.2 Authorization to continue Operations while defeating safety critical device

or system
 DEPT Doc # Page 9 of 16
Operation PRO-03-30

Owner Date Revision

DEFEAT OF SAFETY CRITICAL Operation Manager 30/08/2016 2
SYSTEMS

The safest option is to suspend operations during the period of defeat and this
must always be the first consideration. Through coordination of maintenance and
operational activities it is often possible to choose a maintenance period when no
operational activities are planned.

However there will always be some circumstances when operations have to

Continue, either because the system is part of a continuous process, or because
the defeat is due to equipment fault or breakdown.

In these cases additional monitoring will usually be necessary, and it may be

Necessary to operate more cautiously.

The risk assessment and additional precautions must demonstrate that the risk
has been reduced to an acceptable level
If an Operation is critical and risk from Defeat of Safety Critical Equipment is
deemed low, the Asst. Manager Operations, with appropriate consultation from
the Terminal Management Team is authorized to approve the continuation of
Operations while a safety critical equipment or system is defeated. Pre-appointed
designate may authorize defeat if Asst. Manager Operations is not available.

Please note that for some equipment subject to legal inspection and
maintenance regimes such as pressure vessels and lifting equipment, the
Terminal must authorize the defeat if the Maintenance Engineer declares that the
system has to be taken out of service for remedial work.

5. PERIOD OF DEFEAT
 DEPT Doc # Page 10 of 16
Operation PRO-03-30

Owner Date Revision

DEFEAT OF SAFETY CRITICAL Operation Manager 30/08/2016 2
SYSTEMS

Authorization of defeat of Safety Critical Equipment shall always be sought,

regardless of duration of defeat. This is to ensure terminals operate with Safety
Critical Equipment at all times.

If the period of defeat is more than 1 week, to ensure that these defeats are not
forgotten, the defeat must be re-authorized each week using a new Defeat
Authorization Form. This is to allow assessment of condition change (if any) &
risk before renewal of equipment defeat. A ‘grace period’ of 20% of the agreed
inspection interval will apply. Extension within the ‘grace period’ possible only
with written TM approval (and Authority approval if applicable).

6. TERMINAL PROCEDURES

Appendix 1 shows a typical workflow for the Defeat of Safety Critical Equipment
process, Terminals must include the following key steps during defeat of Safety
Critical Equipment.

6.1 Requests for Defeat of a Safety Critical Device or System

Authorized person(s) are to make requests via the Defeat Authorization Form F-
03-30. Reasons for defeat, isolation in place (if available), consequences of
defeat and estimated period of defeat must also be clearly stated via this form.
 DEPT Doc # Page 11 of 16
Operation PRO-03-30

Owner Date Revision

DEFEAT OF SAFETY CRITICAL Operation Manager 30/08/2016 2
SYSTEMS

If equipment defeat is necessary during off-office hours, requests can be made

verbally and authorization sought from the appropriate personnel. It may be
useful to document these verbal approvals and stated risk control measures in
the Shift log.

The equipment defeat form must be raised soon after, once opportunity allows.

6.2 Procedures before Authorizing a Request

Safety Critical Equipment can only be defeated following the system of controls
described.

Safety checks must be conducted followed by a documented Risk Assessment,

with involvement of the relevant departments to identify the actions necessary to
maintain safe Operations during the period of defeat.

The Risk Assessment enables Terminal Management to identify the

consequence of equipment defeat and decide whether to continue operations
during equipment defeat. Risk may be mitigated by procedural change or
additional safeguards. It is hence necessary to attach the documented Risk
Assessment to the Defeat Authorization Form.
 DEPT Doc # Page 12 of 16
Operation PRO-03-30

Owner Date Revision

DEFEAT OF SAFETY CRITICAL Operation Manager 30/08/2016 2
SYSTEMS

If the request is approved, suspending Operations must always be considered

as the safest option. However, there will always be some circumstances when
Operations have to continue, such as when the faulty equipment is part of on-
going Operations. Additional monitoring and measures which demonstrates that
risk has been reduced to an acceptable level, will then be necessary.

Authorization must be documented via the Defeat Authorization Form in F-03-30.

If request of equipment defeat is due to Preventive Maintenance, upon

Terminal’s discretion after weighing the risks, the request may be rejected;
however, scheduling of the defeat of this Safety Critical Equipment for the next
available opportunity must be done.

Reason for refusal must be documented in the Defeat Authorization Form.

Once a defeat is approved, all necessary works shall be carried in accordance to
Terminal’s Permit to Work System. Copies of the approved Defeat Authorization
Form must be attached to these Permits.

6.3 Communication of Equipment Defeat to Staff

At the appropriate times, status of request must be communicated to all relevant

departments (Operations, Maintenance, Customer Service, SHE).
 DEPT Doc # Page 13 of 16
Operation PRO-03-30

Owner Date Revision

DEFEAT OF SAFETY CRITICAL Operation Manager 30/08/2016 2
SYSTEMS

This is especially when request has been approved and risk mitigating measures
have to be taken during Operations. As a reminder, the approved defeat form
shall be displayed on the Defeat of Safety Critical Equipment Notice Board for
the duration the equipment is defeated. It is recommended that a copy of original
Defeat Form be placed on this Notice Board if a lengthy period of defeat is
expected.

Alternatively, a summary of defeated equipment details may be posted on this

notice board, with filed Defeat Forms placed nearby for easy reference. However,
additional controls may be necessary to ensure that summary remains updated.
A Responsible Person may be required.

Upon first authorization of equipment defeat, it is the responsibility of the on-

going shift to communicate equipment defeat and Operations procedures to the
next in-coming shift during Shift handover (if equipment stays defeated). These
Operation procedures may include risk control measures, additional monitoring,
etc, and must be documented via the Shift Log or any appropriate means and the
Defeat Authorization Form.

Once equipment returns to service, any changes to control devices set points, or
control logic steps must be initiated using a Management Of Change system and
must be formally authorized. In some cases it will be necessary to undertake a
safety study such as a HAZOP, What if analysis, or checklist based study to
demonstrate that the set point can be safely changed.
 DEPT Doc # Page 14 of 16
Operation PRO-03-30

Owner Date Revision

DEFEAT OF SAFETY CRITICAL Operation Manager 30/08/2016 2
SYSTEMS

6.4 Method for Re-Authorization of Defeat

Upon Terminals’ discretion, nominated Responsible Person(s) may be appointed

to monitor equipment defeat. He must ensure defeat is re-authorized each week
and the necessary measures such as Safety Checks and Risk Assessments (if
necessary) are done to ensure safe Operations during equipment defeat.

Terminals may also choose alternative effective methods to trigger re-

authorization. All re-authorization must be done on a separate Defeat
Authorization Form, with the original form attached.

6.5 Return to Service of Safety Critical Equipment

Before return to service of equipment, relevant safety checks such as equipment

tests must be conducted. These checks & test results must be logged into the
Defeat Authorization Form. If equipment change (with different set points) is done
or re-installed equipment is unable to perform as previously, relevant
departments must be informed and a re-defeat or

Management of Change considered. Formal approval of these changes must be

sought via the Management of Change process.During acceptance of equipment
return back to service, the equipment custodian (SHE or maintenance
Departments) and Operations Department endorse via the Defeat Authorization
Form. It is the responsibility of these departments to
communicate with Terminal employees on the return to service of this equipment.
 DEPT Doc # Page 15 of 16
Operation PRO-03-30

Owner Date Revision

DEFEAT OF SAFETY CRITICAL Operation Manager 30/08/2016 2
SYSTEMS

7.0 TRAINING

It is the responsibility of the Line Managers to communicate the requirement

herein to their relevant department persons as indicated in the VTKN Training &
Development Matrix. All relevant personnel shall also be familiar with their
Terminal Safety Critical Equipment.
 DEPT Doc # Page 16 of 16
Operation PRO-03-30

Owner Date Revision

DEFEAT OF SAFETY CRITICAL Operation Manager 30/08/2016 2
SYSTEMS

8.0 REFERENCES
Vopak Standards: Defeat of Safety Critical Equipment

Appendix 1: Workflow for Defeat of Safety Critical Equipment