Instrumented safeguards execute many types of functions, such as reactive or permissive interlocks, operator response to alarms, fire and gas systems, and safety-instrumented functions. Bypassing (also referred to as “impairing”, “suppression” in the case of alarms, or “jumpering” for electronic circuit bypassing of field devices) the safeguard’s function or a device used by the safeguard may impair or eliminate the safeguard’s ability to prevent or mitigate the hazardous event. In fact, bypassing the Safety (Signal) Safeguard is very critical and has great effects on degrading the Safety System, and so needs an exact, complete Management System.
Safety Bypass Management System
In this article, we review the subject “Safety Bypass Management System”.
Figure 1: Temporary Instrumentation and Controls Bypass – Potential Hazards Consequences (Extracted from AIChE-CCPS website).
Potential Hazardous Consequences to Safety Bypass
Generally, bypassing any Safeguard or Safety Function will degrade the Safety System and will produce the possibility of Potential Hazardous Consequences. However, sometimes Process Plant requires some type of Bypassing which affects Safety Functions, and due to critical consequences, such bypassing shall be limited (and temporary).
Bypassing or Override Instrument Signal is one of the most important items of Bypassing, which may degrade Safety System considerations or performance. Figure-1 shows some of Potential Hazards Consequences to Temporary Instrumentation and Control Bypass, which is extracted from the AIChe-CCPS website. It is clear that instrument signals are used in both Process Control and Safety Systems, and bypassing such signals in Safety Systems may have greater effects on the plant Overall Safety).
Bypassing Instrument (Safety Signal) mainly appeared as Maintenance Override or Process Override due to some process plant requirements/ intents, which are mainly mentioned in Figure-2 via some case examples.
Figure 2: Temporary Instrumentation and Controls Bypass – Fundamental Intent (Extracted from AIChE-CCPS website).
Challenges in Safety Bypass
It is very important to notice that Instrument Signal Bypassing has great effects on Plant Safety, so it shall be done via a regular routine with exact studies on different aspects and interactions due to big relevant challenges. Some of these challenges are listed below (Reference)
Lack of Visibility and Tracking
Without centralized monitoring, it is difficult to track who authorized each bypass and when it occurred. This lack of visibility can lead to increased safety risk.
Inconsistent Authorization Procedures
Variability in authorization practices across departments or shifts can result in inconsistent application of safety protocols, increasing the risk of unauthorized or improper bypasses.
Documentation Gaps
Inadequate documentation of safety control overrides can hinder the ability to audit or investigate incidents effectively, compromising accountability and safety compliance.
Complex Approval Processes
Lengthy or complex approval processes can delay necessary bypasses, impacting operational efficiency and potentially leading to unsafe workarounds if not managed properly.
Risk of Human Error
Manual entry or miscommunication during the bypass process can lead to errors, such as incorrect authorization or overlooked safety checks, increasing the risk of safety incidents.
Integration Issues
Difficulty integrating bypass management systems with existing safety controls, such as permit to work and isolation management, can result in fragmented oversight and increased safety risk.
Figure 3: Temporary Instrumentation and Controls Bypass – Common Program Practices (Extracted from AIChE-CCPS website).
Common Program Practices for Safety Bypass
Further to the above-mentioned challenges, please notice that Figure-2 also shows some questions helping us clarify some of the relevant challenging aspects.
In fact, answering questions like those shown in Figure-2, help us to provide the Safeguard Bypass Program. Such a program mainly consists of at least three different parts: Policies, Procedures, and Permits.
However, the common program practices for safety bypass may include the elements listed in Figure-3.
Managing Signal Override (in Combined Process Control & Safety Systems) as a Basic Core for Safety Bypass Program
If we focus on different aspects and targets of the Safety Bypass Program, we find that the basic core (tools) for providing systematic management (on Safety Bypass) are very relevant to those interactions and interfaces implemented in Combined Process Control & Safety Systems, as shown in Figure-4. As simple words, all mentioned elements of the Safety Bypass Program are to be provided in conjunction with sequences of actions implemented in Combined Process Control & Safety Systems.
Figure 4: Signal Override Interfaces/ Interactions as a Basic Core for Safety Bypass Management (Program).
Figure 5: IEC-61511 declares that Requirements for Bypass shall be part of the Safety Requirements Specification (SRS).
As Figure-5 shows, the IEC 61511 Standard clearly mentions that Requirements for Bypass should be part of the Safety Requirements Specification (SRS) and explains that it will be administratively controlled and then subsequently cleared:
Requirements for bypasses, including written procedures to be applied during the bypassed state, which describe how the bypasses will be administratively controlled and then subsequently cleared.
It shall be strictly noted that the Bypass/ Override Management document as part of SRS is basically provided to help DCS/ESD Vendors for how to implement such facilities (i.e. the contents of this document provides basic essential facilities for applying the Maintenance Override Switches by the functionalities implemented in DCS/ESD Systems).
However, according to IEC-61511 Standard, it will be as a part of the Project Safety Requirements Specification (SRS) documents, which providesthe basis facilities in the Bypass/Override System (procedure) established at the project site by the end user (due to their organization charts and further administrative controls).”
Project Management/ Safety System at the project site shall provide a bypass procedure, according to safety standards and rules (as an example, OSHA 1910.119), and considering project site organization/ responsibility charts, and especially in order to define the exact sequence of making override, following actions to remove it, and finally disable action (via administrative controls).
End users may use extra management systems in conjunction with the implemented Override Management in Combined Process Control & Safety Systems (MOS in DCS/ESD) to guarantee the maximum safety and increased performance of project site activities. (For more study on Maintenance Override Switch (MOS) implementation in DCS/ESD, refer to the reference article)
Details of Safety Bypass Program/ Management
Based on the overall requirements mentioned above, the details of the Safety Bypass Program/ Management shall be stablished by more details. As an example, at the first step, Figure-6 shows some more detailed titles of such requirements aspects.
At the second step, we may define the sequence of such titles as requested targets in the Safety Bypass Program/ Management.
The following sequence description may be considered a good practice for such a program.
The critical task of bypass management necessarily includes a program for review and approval prior to entering the bypass state (potentially including risk analysis), procedures for administrative compensating measures (if required), annunciation and tracking of active bypasses, and auditing of the proper use of bypasses. These tasks are greatly facilitated through the use of automation equipment and bypass management software, but manual activity logs are also effective when properly applied.
The first step in bypass management is the authorization process. Before placing a device into bypass, the rationale for why the device must be bypassed should be reviewed to ensure that bypass is appropriate. Part of this process needs to be a review of the risk associated with the bypass, which will consider the duration of the bypass, the type and effectiveness of compensating measures, the degree of risk associated with the hazard that the bypassed component is protecting against, and the reason for the bypass.
Bypasses that exceed the maximum allowable repair time of a component or are performed for reasons other than common repair or maintenance should be subjected to a bypass risk assessment. After the bypass has been implemented and all compensating measures have been put in place, the status of the bypass needs to be reviewed regularly.
This is commonly done through an operator hand-off process from shift-to-shift, where all bypasses are reviewed and confirmed for continued application as required. If bypasses exceed their allowable time duration, the continued use of the bypass must be escalated, potentially requiring additional bypass risk assessment. This process continues until the bypass is cleared and documented.”
Figure 6: Some more detailed titles of Safety Bypass Program/ Management aspects.
Formats of Forms for Bypass Program/ Management
Based on the considered program for the sequence of activities and required actions, some proper forms shall be designed for satisfying defined requirements. Figures 7 and 8 show two samples of such forms.
Figure 7: Sample of Good Safety Bypass Work Permit Form (Viasat Company).
Figure 8: Sample of Critical Protection Bypass Register (Chevron Company).
International Organization Support for Safety Bypass Management
Many international organizations support some guidelines for establishing Safety Bypass Program/ Management, although they confirm that it shall be done just on some special and limited cases (see Figures 9 and 10).
Figure 9: Safety Bypass shall be minimized, but in the unavoidable case, shall be done by exact procedures (program).
Figure 10: Safety Bypass as one of the Process Safety Fundamentals (EPSC).
As an example, the European Process Safety Center, in parallel to other International Organizations, accepts the Safety Bypass/ Override as one of the Process Safety Fundamentals and defines some guidelines for establishing the right Safety Bypass Program/ Management (See Figure-11).
Figure 11: Summary Guides on Right Establishing Safety Bypass Management (EPSC).
Systems Vendor’s Support for Safety Bypass Program/ Management
Some famous vendors of Control and Safety Systems, further to supporting Bypass Override facility through system software and project application program, they provide some extra software (option) facility for better arranging and establishing Bypass Safety Management at project site. As an example, Yokogawa suggests one part of Exaquantum as the Override Safety Advisor (OSA), which provides very good facilities and tools for Safety Bypass Management (see Figure 12). Figure 13 shows some of these facility titles, which are provided by OSA.
Figure 12: Yokogawa Exaquantum as an extra Process Plant Management Software (having different facilities such as Override Safety Advisor).
Figure 13: Some Facilities of the Override Safety Advisor (OSA) of Yokogawa Exaquantum for Safety Bypass Management.
References:
- Safety Function Bypass or Override
- IEC 61511 Standard for Bypass & Override
- Types of Implementing Safety Signal Bypass
- Force Versus Override for Safety Signal Bypass
- A Good Practice on Override Safety Signal
