TN 015 Overrides 15
TN 015 Overrides 15
TN 015 Overrides 15
Newcastle Chambers Of Engineering Tel: 0191 285 4141 information@ncoe.co.uk www.ncoe.co.uk TECHNICAL AND MANAGEMENT SERVICES SAFETY CRITICAL SYSTEMS Page
1 of 8
2 of 8
Bhopal Accident 1984 (500,000 casualties): The flare tower designed to burn off MIC (Methyl IsoCyanate) was inhibited and removed from service. This unit could have safely disposed of the toxic gases. The gas scrubber was bypassed and isolated for maintenance. This unit could have neutralised the escaping MIC. The emergency sirens had been overridden. Providing no warning to the people surrounding the plant. Chernobyl 1986 (53 direct casualties, indirect casualties mainly children) Safety systems were overridden to prevent the reactor from tripping at low power.
Piper Alpha 1988 (167 casualties) The automatic activation of deluge sea pumps were overridden. The deluge may have delayed and possibly prevented the second devastating gas explosion.
3 of 8
These events highlight the importance of not losing focus of live plant overrides, and also the requirement of understanding the hazards and consequences of overrides on plant items either for routine maintenance or as a result of equipment failure or malfunction to maintain production. Many assets still use paper log books or home made spreadsheets or databases as logs for overrides, which are not truly in alignment with the rigour and auditable trail of other mandatory Safety Management Practices.
The objectives of the Acumen system logbook are : Simplify the monitoring of plant overrides Simple Navigation via web browser Remote access potential to log book from any location worldwide and from any number of users Unqiue User login Automatic Audit trail Perform Analysis and run reports Operational improvements for the Site Personnel Enhance visibility for Engineers & Management Compliant to HSE requirements Easy to install and administrate
4 of 8
5 of 8
Definition of an Override
Many definitions of an override exist, some industries may refer to overrides as bypasses and/or inhibits. For the purpose of this technical note the following definition shall be used throughout : An override is any arrangement that interrupts a device or system from performing its function This includes: Purposely designed override switches (key switches, Human Machine Interface buttons.) Forced software values Temporary wired links Blocking the view of line of sight devices Valve jammers Equipment out of service Does not include: Process controllers being put into manual (though it is important that such action is taken only after consultation with the override log.)
6 of 8
Categorisation of Overrides
Plant overrides shall fall into two categories: i. Integrity rated overrides ii. Non-integrity rated overrides It is important to minimise the number of categories to simplify the process. Integrity rated overrides This includes all instrument loops that have a Integrity Level (IL) of 1 or greater and will include all loops associated with fire and gas detection. Instrument protective function loops provide a higher level of protection against: Hazards Harm to people Damage to the Environment Production loss Asset damage
Non-Integrity rated overrides This category includes general control loops and logic functions either on non-critical plant or on plant that have additional protection. Thus the loss of this instrument function would not result in a safety, environment or asset risk.
Risk Assessment
The requirement for a risk assessment and the type of risk assessment used will be dependant on which category the override is assigned too, and the estimated duration for the override to be applied. It is important that the appropriate engineering competencies are involved in the risk assessment. When a risk assessment has been produced, no matter which method is employed, its reference should be recorded on the override log. Multiple Overrides There is a danger that the cumulative risk of multiple overrides applied on the same unit or in the same area may provide a greater hazard than the sum of the individual hazards. Therefore the Operation Team Leader/Supervisor shall take this into account before approving a permit to work that requires an override.
7 of 8
Start-up Overrides
A start-up override is a defeat that is identified within the Operations start-up procedure, which is required to enable the unit to be started. A start-up override must be removed as soon as it is possible and it is preferred that this may be done automatically. Start-up overrides with manual resets do not require any risk assessment but they do require to be recorded in an override logbook. If any start-up override is required on a unit that has already got additional (non start-up related) overrides applied, then the start-up overrides shall require a risk assessment.
8 of 8
Furthermore the Operations Team Leader, at crew change, should arrange for the override log to be compared against the actual override status, so as to ensure that the log it up to date. Of course the roles and responsibilities of the individuals named in the above table will vary between organisations.
Records
Records perform two necessary functions, firstly they need to be informative to all those involved in managing overrides and secondly they need to demonstrate that a safe management of work process is being effectively employed. During the lifecycle of the override application, information will be generated and may be stored in a number of locations. However the override log, recommended to be located in the control room, will be the primary source of information. Due to the requirement for all the records to be auditable and secure it is recommended that either paper or a purposely designed electronic override logbook be used. Logs built on Access and Excel should be avoided. All override records are to be held for a minimum of two years. All records < 1 year old should be easily accessible by the operations team, records that are > 1 year old should be held in a centralised archive.
Auditing
As override control is part of the safety management system it must be audited on a periodical bases to ensure that the override procedure is working effectively. This audit process should be high level and adaptable.