Safety systems are implemented to reduce operational risks and improve process safety; however, there are instances when these safety systems cannot be used in normal/ usual ways, which can significantly increase the risk levels within a plant. An override, bypass, or inhibit is an action that interrupts a safety device from performing its intended function. On the other hand, using such facilities properly may compensate for or mitigate some unfavorable consequences.
Safety Bypass and Override
This article tries to define some standard conditions and requirements for bypassing safety (/critical) protection (in Safety Instrumented System) signals. It includes systematic aspects that ensure critical protections are bypassed, monitored, tracked, and returned to service in a manner that maintains the safe and reliable operation of safety-critical systems, preventing or mitigating potential injuries, loss of containment, adverse environmental impact, equipment, or property damage.
Figure 1: IEC-61511 has some references for SIS Device Bypass.
IEC 61511 Standard Safety Instrumented System
IEC 61511 is the main global standard for defining requirements and different aspects of a Safety Instrumented System. Therefore, it may be considered a good reference for finding and defining all aspects and requirements for bypassing the SIS device (see Figure 1). We try to reach this goal by reviewing some extracted phrases and sentences from this standard.
Bypassing Safety Function
The Bypass is defined in the standard as:
Figure 2: Bypass Definition in IEC-61511 Standard.
Referring to the standard, Bypass will block the logical consideration for the SIS subject, while continuing the present the input parameters and alarm to the operator, and the final element held in a normal state (preventing trip).
Therefore, we found the Bypass target clearly. However, we saw that bypassing might appear in different terms, such as override, defeat, disable, force, inhibit, or muting. Although such words are categorized under bypass, here we should declare the common, usually used words on their more exact differences:
Inhibit (or Disable) will cut the continuation of the signal to/ from the functional logic, while Override (or Force), further to cutting the continuation of the signal to/ from the functional logic, will set it to a specified setting (value or state). Since by Inhibit function, one broken side of the signal will not have a clear state or value (and it may cause some conflicts or an unknown state), it would be better to consider the Override function when we are talking about safety signal bypassing. (See Figure 3)
Figure 3: Comparing Inhibit versus Override for Bypassing Safety Signal
However, it is very important to notice that during Bypass, we do not cut the connection of the signal to the Safety System, in order to continue monitoring and making relevant alarms.
By considering the IEC standard Bypass definition, we may find other bypass definitions using different words or representations. As an example, we see a good, simpler (but not comprehensive) Bypass definition in the Chevron document (DS&C Standard Bypassing Critical Protections -July 2018) as:
To temporarily block out, isolate, override, inhibit, force jumper, disconnect, or otherwise disable a device or system so that it will not perform its designed function for the purpose of testing, maintenance, and startup or to maintain safe, reliable operation.
Safety Bypass Conditions
Section 16- SIS Operation and Maintenance of IEC 61511 declares some Safety Bypass conditions. (Figure-4)
Figure 4: Some Safety Bypass Conditions/ Requirements in IEC-61511
Bypassing is Restricted During Continued Process Operation
Clause 16.2.4 of this standard obligates Hazard Analysis for compensating measures, adequate risk reduction, and operating procedures as:
Continued process operation with a SIS device in bypass shall only be permitted if a hazards analysis has determined that compensating measures are in place and that they provide adequate risk reduction. Operating procedures shall be developed accordingly.
At first glance, it shall be noticed that SIS device bypassing is a continuous process operation restricted only by satisfying some conditions (and is not a normal act). On the other hand, before any override/bypass is applied, the implications of doing so shall be fully understood, and adequate additional measures shall be applied to reduce the consequential risk of operating without automatic protection.
However, in several points in the standard, it is declared that SIS under bypassing will be degraded.
Compensating Measures for Adequate Risk Reduction
The main condition for applying Bypass is considering compensating measures for adequate risk reduction. Compensating Measure is defined in clause 3.2.7 of the standard as:
Compensating Measure: temporary implementation of planned and documented methods for managing risks during any period of maintenance or process operation when it is known that the performance of the SIS is degraded.
In clause 11.8.5 (in section 11.8 maintenance or design requirements) of the standard, we find more insistence regarding the compensating measure role as:
Compensating measures that ensure continued safe operation shall be provided in accordance with 11.3 when the SIS is in bypass (repair or testing).
It shall be noted that 11.3 refers to requirements for the SIS under fault conditions in the standard.
In fact, Clause 11.8.5 further reinforces the administrative aspects of bypass management by requiring that when a bypass is initiated, compensating measures must be put in place. We may say that compensating measures are the means by which the SIF that has been bypassed is “replaced”, either through the use of redundant equipment or administrative controls.
Some more aspects of compensating measures and bypass sequence are found in 16.2.3 of the standard, as:
Operation procedures shall be made available. Compensating measures that ensure continued safety while the SIS is disabled or degraded due to bypass (repair or testing) shall be applied with the associated operation limits (duration, process parameters, etc.). The operator shall be provided with information on the procedures to be applied before and during bypass, and what should be done before the removal of the bypass, and the maximum time allowed to be in the bypass state. This information shall be reviewed regularly.
Developed Operating Procedure
From 16.2.4 of the standard, we found that according to a complete Hazard Analysis and considering measures, an Operating Procedure shall be developed. Robust procedure and process safety information play an important role in the management of safety bypasses. When a bypass is invoked, process safety information like consequence and severity type helps to carry out the risk assessment to reflect mitigation measures and approval information.
Bypass Status Record
In 16.2.7 of the standard, it is mentioned:
“The status of all bypasses shall be recorded in a bypass log. All bypasses need authorization and indication.”
Since, as mentioned, bypassing is not a normal routine act, the status of all bypasses shall be recorded and logged, in order to make a regular and traceable sequence of actions and existing risks (with possible following consequences).
Authorization and Required Competency
As mentioned in 16.2.6 and 16.2.7 of the standard, all bypasses need authorization (and indication) further to some required competencies, which are described below. Two main items of them.
The correct operation and management of all bypass/override switches and under what circumstances these bypasses are to be used; the operation of any manual shutdown switches and manual start-up activity, and when these manual switches are to be activated.
Although the bypass design shall be done in such a case that the operator error shall be prevented, security protection shall be considered to prevent unauthorized bypass activation (e.g., by key lock or password protection) as mentioned in 11.7.2.2 and 11.7.2.3 of the standard (and shown in Figure 5).
Figure 5: Some Further Safety Bypass Conditions/ Requirements in IEC-61511
Don’t Disable Manual Shutdown
In section 11.7.3 and under the detailed expressions of item 11.7.3.2 of the standard, it declares that during bypassing, Manual Shutdown shall not be disabled:
Where bypasses are required they should be installed such that alarms and manual shutdown facilities are not disabled.
In clause 11.2.8, the Manual Means (e.g., emergency stop push button) is defined as:
Manual means (e.g., emergency stop push button), independent of the logic solver, shall be provided to actuate the SIS final elements unless otherwise directed by the SRS.
During the Process Hazard Analysis of the Process Plant, the required Manual Shutdowns will be specified and reflected in relevant documents (and P&IDs).
Relevant Alarms Shall not be Disabled
This condition is mentioned 11.7.3.2 too. It is clear that Bypassing just cuts the connection of the signal to the Functional Logic, while signal monitoring and relevant alarms shall be continued for further detection of the healthiness status of the signal (SIS device).
Bypassing Time Limit
It is clear that since bypassing will degrade the considered safety so it shall have a time limit and be removed as soon as possible. This condition, further to the insistence on other conditions, is shown in Figure 6.
Figure 6: Some Safety Bypass Limiting Conditions/ Requirements in IEC-61511
Bypassing for Device Repair or Proof Testing
As it can be concluded from Figure 6, the main target of Bypass/ Override of the SIS device during Process Normal Operation is returned to Device Repair (maintenance) or Proof Testing.
Device Proof Testing
In order to keep some safety device characteristics and performances within the considered validity margins, periodic proof tests should be done. Proof testing of safety devices is defined by 3.2.56 of the IEC-61511 standard as:
Proof Test: periodic test performed to detect dangerous hidden faults in a SIS so that, if necessary, a repair can restore the system to an ‘ as new’ condition or as close as practical to this condition.
In some cases, doing online Proof Testing may require a kind of Bypass/ Override in order to prevent shutting down the process plant operation.
Forcing is not equal to Bypass or Override
It shall be mentioned that the forcing of inputs and outputs in Programmable Electronics (PE) is not equal to Bypass/Override, as declared in 11.8.6:
Forcing of inputs and outputs in PE SIS shall not be used as a part of application program(s), operating procedure(s) and maintenance (except as noted below).
Forcing of inputs and outputs without taking the SIS out of service shall not be allowed unless supplemented by procedures and access security. Any such forcing shall be announced or set off an alarm, as appropriate.
Maintenance versus Process Bypassing & Override Safety Function
It shall be noticed that all the above-mentioned references from the IEC standard mainly refer to the function of Bypass/ Override of safety signals during the process plant in normal operation, i.e., for SIS device repair or proof testing. Usually, this type of bypassing is named as Maintenance Override.
However, sometimes due to process requirements, it may be required to bypass SIS device signals during process plant in normal operation or before reaching this mode of operation (i.e., plant startup mode). This type of bypass is usually called Process Override or may be called Startup Override (during plant startup). These types of overrides need more care during risk analysis or PHA, and with further procedural documents and administrative controls. For Process Override, it shall be clearly specified in process documents (especially in P&IDs), and it may be implemented in functional logics (with studied additional risk acceptances), while for Startup Override of safety device signals, it will usually be done via Forcing by PE.
However, Startup Override may be implemented similarly to Maintenance Override and by engaging functional logics with considering more logical conditions, since this way it makes more tracing and recording than forcing by PE. Of course, this routine may be considered as a good practice for the realistic implementation of all Bypass types for safety signals. Sometimes, such overrides may be called Commissioning Overrides.
Validating Bypassing
In any case, all Force Bypassing (permissive) or Commissioning Override shall be validated and then removed before making the process plant run in normal operation (i.e., after SIS validation) as stated in the standard (Figures 7 and 8).
Figure 7: Safety Bypass Validation Conditions/ Requirements in IEC-61511
Figure 8: Safety Bypass after Validation Conditions/ Requirements in IEC-61511
Practices for Doing Bypass of Safety Signals
This article showed some standard requirements (reflected in IEC-61511), but the realistic implementation routine of bypassing safety signals while satisfying the mentioned requirements completely depends on the Design Engineer’s Practices. As an example (as mentioned above), providing a suitable Startup Override by engaging functional logics instead of forcing input and output signals may be considered as one of these practices. The other example is related to different routines for considering override (enable/ disable) switches and their locations on activation of override sequences.
Bypass (of Safety Signals) Management System
Since Bypassing Safety Signals will have some degrading effects on SIS requirements, any bypass shall be considered in Process Safety Management (including Management of Change, MOC) as mentioned in 5.2.6.2.4 and 5.2.6.2.5 of the IEC-61511 standard:
5.2.6.2.4 Management of change procedures shall be in place to initiate, document, review, implement and approve changes to the SIS other than replacement in kind (i.e., like for like, an exact duplicate of an element or an approved substitution that does not require modification to the SIS as installed).
5.2.6.2.5 Management of change procedures shall be in place that identifies changes that will affect the requirements on the SIS (e.g., re-design of a BPCS, changes to manning in a certain area).
On the other hand, Bypassing shall be considered as an item that needs MOC procedures at the project site (due to established safety systems and all relevant administrative controls and Organization responsibility charts).
However, the Bypassing procedure (implemented via BPCS and SIS) shall be considered as part of SRS (Safety Requirement Specifications) as mentioned in clause 10.3.2 of the standard:
Requirements for bypasses including written procedures to be applied during the bypassed state which describe how the bypasses will be administratively controlled and then subsequently cleared.
Conclusion
In this article, some requirements of Bypassing Safety Signals were reviewed by citing some exact texts of the IEC 61511 standard, which is the global standard on Safety Instrumented System (SIS) requirements. Although for each subject we refer to some dedicated clause or section, generally, such subjects may be referred to, discussed, or confirmed in several points or clauses of the standard (which are not mentioned here for keeping the structure of the article).
Figure 9: Some Aspects of Safety (SIS) Bypass in IEC-61511 Standard.
References:
- Safety Function Bypass or Override
- Types of Implementing Safety Signal Bypass
- Force Versus Override for Safety Signal Bypass
- A Good Practice on Override Safety Signal
- Safety Bypass Management System
