🔥 Need PLC Experts? → Start Consultation 🚀 Industrial Automation Support

Why & How “Safety Function Bypass or Override”?

Learn why and how safety function bypass or override is used, the risks, and best practices to manage process and safety instrumented systems.

Mansoor Mohseni
Instrumentation Design Safety Instrumented System (SIS)
No Comments
23 Min Read

Bypassing is a known phenomenon in human life, which is used in different ways, even in Industrial Process Plants. In fact, sometimes we are forced to use the Bypass facility in order to prevent the stopping of normal plant operations. Using such a facility for safety functions will degrade the safety system and, accordingly, will increase the possible risks & impacts, and so it is not allowed to use it everywhere except for special cases with considering some extra requirements and care.

Contents

Safety Function Bypass or Override

This article tries to review why we may need a Bypass (including a Safety Function) and generally expresses how we may implement it. However, it is mentioned that Bypassing Safety functions needs exact care and awareness with the relevant management system (which includes documents and procedures).

Safety Instrument System Bypass Explained with Example

Figure 1: Sometimes we need a Bypass! Otherwise, we will have to stop!

Why may we need “Bypass”?

In our daily life, we are familiar with the concept of bypass and may use it in different ways or activities. As an example, consider the roads carrying large amounts of traffic of cars, which play a great role in human life. Sometimes such roads may meet defects or problems during the life/ operation time (may be due to wear out, fatigue, or via internal or external damage/ demolition reasons). In such cases, we may use bypassing to continue the car’s terrific while the repair or modification is under execution, otherwise we shall close the road and stop the normal (transfer) operation (See Figure 1). Sometimes, during the end phases of road construction, we may also use bypassing at some points too; by means of it, we will follow road readiness and bring in normal operation.

In Process Industries, sometimes we have cases where some equipment crosses the problems, or due to equipment role/effect change, we may use bypassing. Similarly, in control or safety systems, some measuring devices (sensors) or actuator equipment may encounter failure problems or may not complete operational mode (due to device use conditions), and to continue process plant operation, we may use bypassing, since otherwise we shall stop the normal operations (which may have great effects).

Signal Bypassing may appear in two general formats as inhibit, which cuts the signal flow continuation, and Override, which changes or modifies the signal to a new or fixed value. Although bypassing the control system signals shall be done with exact care and obsessional due to managing the side effects to process performances and risks, but bypassing the safety system functions cannot be done easily due to possible high impacts of safety/ risk items (relevant to Human, Environment, and Property or Production). This may be done just exceptionally by considering some exact rules and requirements, and a great obsession.

Generally, sometimes we may use bypassing for managing/ controlling the side effects of use conditions of devices/equipment in such a way that the process starts or continues its normal operation with controlled (minimized) risks, since otherwise we will have to stop/shutdown mode of operation.

How may we apply “Bypass”?

As stated, generally, we shall consider some requirements and conditions for applying a good/ proper bypass. Such considerations may include:

1. An exact study before doing the Bypass to find all side effects and risks of the Bypass function. This study shall include:

  • Investigating the Failure Types and Affected Area (size)  
  • Estimation of Bypass Time for handling the process demand without any unfavorable stop.

2. Considering compensating/ mitigation measures (routines, devices, procedures, controls) to minimize the found side effects and risks. In fact, for applying Bypass, more operator care (and additional compensating actions) as well as extra warning indications need to be considered. Such considerations also may include suitable margins for Bypass side effects and risks (including the outside area of the bypassed subject), too.

3. Following continuous procedural activities for removing the Bypass or minimizing the Bypass Time and controlling the consequences.

4. Continuous monitoring and tracking the status of the bypassed subject up to reaching normal conditions.

5. Follow and apply the proper consequences of activities for removing the Bypass and returning the subject to the normal state in the process after confirmation of problem-solving.

Such general conditions/ considerations can be seen in Figure 2, as a good practice for implementing Bypass management for above mentioned example (Road Bypass).

Safety Bypass Function Example

Figure 2: Good Practice Example for Implementing Road Bypass Management (photos from ASRTRA BRIDGE).

Managing “Safety Bypass Function”:

Although we may sometimes need to bypass the Safety Function in Process Industries, due to the great impacts of possible risks, it is not allowed to use such a facility except to apply the Management of the Safety Bypass Function, and accordingly, by following some rules/ standards, which define the conditions, and provide guides for applicable procedures and routines. In some countries, governmental rules/ notices force the process industries to exactly follow such considerations (see Figure 3 as an example).

Bypassing Safety Devices

Figure 3: US Governmental Notice on Bypassing Safety Devices

As it is clear from Figure 3, the safety devices can be out of service just in the case of Start-Up, Maintenance, or Testing (in which cases Bypass may help continue Process Operations). On the other hand, in normal Process Operations, the safety devices shall not be bypassed.

Some of the safety websites provide guides for using general rules on considerations for managing Bypass Safety Functions, such as Figure 4.

Bypassing Safety Control Rules

Figure 4: Safety Website shows Bypassing Safety Control Rules

While some industrial associations inform the horrific and detestability effects of Bypass/ Override (see Figure 5), others clearly accept the Bypass Facility as one of the Fundamental Safety Aspects, and provide some more details on the use cases and required management system for this subject in their documents (Figure 6).

Process Safety Fundamentals

Figure 5: “Override/ Bypass is horrid or detestable” mentioned in IOGP-Report 38: Process Safety Fundamentals (International Association of Oil & Gas Producers- October 2020)

Override of Safety Critical Systems

Figure 6: Manage Override of Safety Critical Systems as one of the Process Safety Fundamentals (European Process Safety Center)

In some countries, Technical Boards, while accepting the Safety Function Bypass as a safety fundamental, they provide detailed guidelines and rules for implementing such a facility (in a special branch of industries). Figure 7 shows one of these guidelines issued by Energy Safety Canada.

Energy Safety Canada

Figure 7: “Bypassing Safety Controls” guideline document issued by Energy Safety Canada

Site end user specialists will do and execute Bypassing Safety Functions, and accordingly, they shall have complete relevant system, including documentation and exact procedures, with a responsibility chart and sequence definitions. But for implementing such a system, they will use (or, in fact, they need) the available facilities provided by design engineering companies during site establishment and Process Control and Safety Systems implementation, which are reflected in their documents. Figures 8 and 9 show two documents of famous engineering companies which are referring some exact details of Bypassing Safety Functions requirements and considerations.

As much as such documents include more detailed information and guidelines, the final Safety Function Bypassing may be more regulated and complete, and of course, with fewer safety risks or losses. As an example, referring to Figure 8, you will find a detailed flowchart and an implementation document format, which may be helpful for site end-user specialists.

Override Bypass Control

Figure 8: “Override/ Bypass Control” guideline (practice) document issued by BP.

Safety Function Bypass or Override

Figure 9: “Override/ Bypass Control” guideline in “Eni Process Safety Fundamentals” issued by Eni.

Review of BP Guideline Practice

In order to find some more detailed information regarding the Bypassing aspects, let us have a review of the BP guideline practice document (DWGOM Group Practice: DWGOM GP 30‑0130 Override/Bypass Control). The following texts are extracted from this document for educational purposes.

{{ This guidance is provided to ensure that all field personnel comply with the regulations as found at 30 CFR 250.803(c) (1) and 30 CFR 250.1004 (c). Regulatory INCs issued against these regulations could result in significant civil penalties, and if found to be a deliberate violation, could escalate into a criminal violation; however, of greater concern is the potential negative ramifications for the safety and health of our personnel.

30 CFR 250.803(c)(1)

“Surface or subsurface safety devices shall not be bypassed or blocked out of service unless they are temporarily out of service for startup, maintenance, or testing procedures. Only the minimum number of safety devices shall be taken out of service. Personnel shall monitor the bypassed or blocked-out functions until the safety devices are placed back in service. Any surface or subsurface safety device that is temporarily out of service shall be flagged.”

30 CFR 250.1004(c)

“If the required safety equipment is rendered ineffective or removed from service on pipelines that are continued in operation, an equivalent degree of safety shall be provided. The safety equipment shall be identified by the placement of a sign on the equipment stating that the equipment is rendered ineffective or removed from service.”

SCOPE

a. This STP provides expectations and guidance on all aspects of override/bypass control. These aspects include:

  1. Definition of override/bypass.
  2. Categorization of overrides/bypasses.
  3. Roles and Responsibilities
  4. Risk assessment (SORA).
  5. Start-up Overrides.
  6. Acknowledgement, authorization, and approval.
  7. Reviewing the records.
  8. Time limits.
  9. Logging requirements.

TERMS AND CONDITIONS:

….

Override

The temporary bypass of a safety function or IPL to allow certain work to proceed without causing an unnecessary process shutdown or alarms. Override is used to prevent a safety function from operating (but Alarm Monitoring/ Indication shall not be stopped).

(Note: The red color strikethrough text was mentioned in documents, but it seems that it shall be deleted as clarified in the final sentence.)

Bypass

Bypasses perform the same function as an override.

Specified Authority

Individual or individuals assigned by the Plant Manager to act as the Authority over all overrides and bypasses for the Facilities or Functions. This role shall be defined for all applicable positions inside Process Plant with clear responsibilities and competencies.

Eligibility for overrides/bypasses

Before any override/bypass is applied, the implications of doing so shall be fully understood, and adequate additional measures shall be applied to reduce the consequential risk of operating without automatic protection.

BASIC PRINCIPLES

  1. This document applies where there is a need for override/bypass or disabling of applications involving safety, commercial, or environmental risk.
  2. Safety functions requiring override/bypass or disabling for periods in excess of one week shall be subject to the full Management of Change (MOC) approval process.
  3. The responsibility for the safety overrides/bypasses (including those for maintenance purposes) shall be assigned to a Specified Authority. The Specified Authority has ultimate responsibility for the current status of any overrides/bypasses.
  4. The Safety Override Risk Assessment (SORA) is a decision support process intended to provide clear guidance when it is permitted to apply overrides/bypasses without further approval.
  5. All SORAs shall be reviewed when changes are made to the process that could impact the assumptions of the SORA.
  6. After a SORA is approved and recorded, the risk assessment may be used multiple times.
  7. A SORA may also be generated for specific maintenance routines. This SORA shall refer to the original SORA for each override/bypass.
  8. When multiple bypasses are in place, the risk of having these in effect simultaneously shall be assessed. The intent is to avoid a combination of bypasses that could lead to an undesirable event.
  9. SORAs shall be refreshed in cadence with HAZOP/LOPA revalidation.
  10. SORAs should be included in the Hazard and Risk Evaluation Plans (HREP) for the asset.

START-UP OVERRIDES

  • A start-up override is a defeat that is identified within the operator’s start-up procedure, which is required to enable the unit to be started. A start-up override needs to be removed as soon as possible, and typically, this should be done automatically.
  • Start-up overrides with automatic resets are not required to be controlled under this STP, as they have been specifically designed and reviewed during the design of the unit and during development and approval of the operating procedures. These procedures shall have been adequately risk assessed (e.g., HAZOP).
  • Start-up overrides with manual resets do not require any risk assessment, but they shall be recorded in the override logbook.
  • If any start-up override is required on a unit that already has additional (non-startup related) overrides applied, then the start-up overrides shall comply with this STP in its entirety.}}

Review of a Good Article

In order to mention some more details on Bypassing Safety Function, while shortening this article, here we refer directly to some extracted texts from ‘Safety Instrumented Bypass Management” by Amol V. Deshpande, CEng, TUV FSEng Senior Process Safety Engineer (20th  Annual International Symposium-2017).

[[Safety bypass procedures are usually written on site to comply with IEC61511 standard and other recommendation references like OSHA 1910.119.  However, in practice, safety bypass management can be difficult due to a lack of readily available process safety information, a lack of operator awareness, and the existence of a production throughput-oriented culture.

For many operating sites, process safety information (PSI) is only available in Process Hazard Analysis (PHA) reports.  Commercial databases are available that display process safety information and make it readily available to operations and maintenance to properly implement and handle safety bypasses. An alternative approach is the creation of an in-house process safety database to provide easily-accessible process safety information.

Such site-provided procedure shall include a flow chart for bypass approval, how to perform a bypass risk assessment, and how to develop a relevant SIS database.

SIF and BYPASS

Safety instrumented function (SIF) acts as a preventive barrier to reduce the unmitigated risk. SIFs are automatic prevention barriers and do not require any manual intervention. Safety instrumented functions comprise sensors, a logic solver, and final elements. SIF has a defined executive action to bring a process to a safe state. 

SIFs are often bypassed during

  • Proof testing, or
  • Start-up procedures, or
  • Instrument failure

Even with a bypass management procedure in place, it is not sufficient to meet the requirements of IEC61511-1 standard due to the lack of information about:

  • Predefined mitigation measures until SIF is in bypass
  • Consequence and severity related to the SIF
  • Other independent protection layers

Robust procedure and process safety information play an important role in the management of safety bypasses. When a bypass is invoked, process safety information like consequence and severity type helps to carry out the risk assessment to reflect mitigation measures and approval information.

Proper management of Safety Instrumented Function (SIF) bypasses during process plant operation can be challenging and could compromise process safety if the SIF is bypassed longer than its allowable maximum time interval.

Safety Bypass

Safety System Bypass

Safety bypass can be further classified into the following types:

Maintenance bypass: It is used to allow repair or routine online testing and operability checks of a ‘safety instrumented system’ to ensure its continued functionality and reliability to operate on demand

Operational bypass: It is used to provide an opportunity to maintain a continued operation where an instrument fault or failure has been confirmed. 

Permissive bypass: In certain procedural situations, such as a unit or equipment ‘start up’, bypass has to be used as a ‘permissive’ to allow one or more input parameters of a ‘safety instrumented system’ that is in a ‘tripped’ status to reach the values required to enable a ‘reset’ of that system.

Types of Bypass

The bypasses are classified as follows.

  1. Planned Bypass
  2. Unplanned bypass (Abnormal Operational Conditions)
  3. Permissive bypass
Types of Bypass in Safety Automation Systems

1. Planned Bypass

Routine online checks or testing of the instrumented systems. Bypass risk assessment shall be carried out, and all specified risk control measures put in place before the bypass is used for tasks within this category.

2. Unplanned Bypass

The unplanned bypasses are based on abnormal operational conditions, categorized into two parts

a. Abnormal Controlled Operational Condition

An ‘abnormal controlled operational condition’ is a developing process upset that has the potential to lead to a trip. If the situation has developed from a ‘known’ cause and has a well-practiced method of quickly mitigating the risk and re-stabilizing the operation, the ‘controlled’ use of bypass may be used in such circumstances. The appropriate approval and authorization are required when its use is clearly identified within a recognized practice and or procedure.

b. Abnormal Uncontrolled Operational Condition

 An ‘abnormal uncontrolled operational condition’ is a process upset where the cause is unknown and therefore no method of address is immediately available or known, and a process of investigation and diagnosis is required to identify the cause. Bypass shall never be used for “uncontrolled abnormal operational condition.”

3. Permissive bypass

When the trip function of a safety instrumented system is in an activated state and is therefore preventing the continuation of a start-up or other operational procedure, the use of bypass may be required as a ‘permissive’ to allow one or more of the safety instrumented system input parameters to reach the values required to enable its ‘reset’.

Once the instrumented system parameters have all reached the ‘stable’ values required to enable its ‘reset’, the permissive becomes the bypass again and therefore must be immediately removed to enable the instrumented system protection.]]

Conclusion

Bypassing is a known phenomenon in human life, which is used in different ways, even in Industrial Process Plants. Bypassing safety functions is not permitted as usual normal job due to (high) increased possible risks, while in some cases ignoring it may produce a plant shutdown (stop) with a big loss of benefits, and so we may be forced to use it. On the other hand, in some limited cases, bypassing safety functions may be done by considering exact requirements considerations. In Process Industries, Bypassing may appear for process units, equipment, devices, or even signals inside Process Control and Safety Systems.

In Process Control and Safety Systems, Signal Bypassing may appear in two general formats as inhibit, which cuts the signal flow continuation, and Override, which changes or modifies the signal to a new or fixed value.

Applying Bypass/ Override in any cases related to safety functions shall be done with exact care and probably additional measures (Figure 10). Some details of Safety Function Bypass/ Override were reviewed from good references too.

Bypass and Override of Process Control and Safety Systems

Figure 10: Any Bypass/ Override needs more care and awareness.

References:

  1. IEC 61511 Standard for Bypass & Override
  2. Types of Implementing Safety Signal Bypass
  3. Force Versus Override for Safety Signal Bypass
  4. A Good Practice on Override Safety Signal
  5. Safety Bypass Management System
      Don't Miss Our Updates
      Be the first to get exclusive content straight to your email.
      We promise not to spam you. You can unsubscribe at any time.
      Invalid email address

      Continue Reading

      As per Process Conditions, Find out the Circuit Components Status ?
      Safety Instrumented System Module Failure
      Magnetic Flow Meters Installation Guidelines
      What is Hammer Effect in Gauges ?
      Compliance Table Application (for Procurement Service Cycle)
      Pneumatic Valves and Cylinders Sizing – Part 2
      Leave a Comment

      Leave a Reply

      Your email address will not be published. Required fields are marked *

      Stay Connected

      Categories

      Explore More

      4-20 mA Loop Splitter
      Difference between SIS, PLC and BPCS Systems
      ESD System Insights: Signals for Emergency Valve Shutdown Explained
      Pneumatic Piping Design and Specification
      Role of an Instrumentation Design Engineer for Beginners
      Why We use Shielded Cable and Twisted Pair Cables ?
      Purpose of Loop Diagrams
      Types of Implementing Safety Signal Bypass

      Keep Learning

      Learn More

       
      Share via
      Send this to a friend