Professional Documents
Culture Documents
PR-1001c - Temporary Override of Safeguarding System Procedure
PR-1001c - Temporary Override of Safeguarding System Procedure
Document ID PR-1001c
Security Unrestricted
Revision 6.2
Copyright: This document is the property of Petroleum Development Oman, LLC. Neither the whole nor
any part of this document may be disclosed to others or reproduced, stored in a retrieval system, or
transmitted in any form by any means (electronic, mechanical, reprographic recording or otherwise)
without prior written consent of the owner.
Revision: 6.2
Petroleum Development Oman LLC Effective: Oct-14
i Document Authorisation
Authorised For Issue – July 2014
ii Revision History
The following is a brief summary of the 4 most recent revisions to this document. Details of all
revisions prior to these are held on file by the issuing department.
5.0 Apr-13 Robin Norman UOP61 Reviewed and updated to address the
MoC Application and Web based forms
TABLE OF CONTENTS
i Document Authorisation.................................................................................................. 3
ii Revision History............................................................................................................... 4
iii Related Business Processes........................................................................................... 4
iv Related Corporate Management Frame Work (CMF) Documents...................................4
1 Introduction...................................................................................................................... 6
1.1 Background 6
1.2 Purpose 6
1.3 Scope 6
1.4 Distribution / Target Audience 6
1.5 Changes to the Document 6
1.6 Variance Approval 6
2 Roles and Responsibilities.............................................................................................. 7
3 Temporary Override of Safeguarding Systems..............................................................10
3.1 Authorisation for Temporary Override Risk Assessment 10
3.2 Process Overrides Request Form 11
3.3 Validity of Temporary Process Override 14
3.4 Temporary Process Override Auditing 15
3.5 Retention of Completed Process Override Requests 15
Appendix 1 – Worked Example of the Process Override Request.............................................16
Appendix 2 – Approved Override Type......................................................................................28
Appendix 3 – Abbreviations........................................................................................................ 29
Appendix 4 – Reference Material............................................................................................... 30
Appendix 5 – Temporary Overrides of Safeguarding and E-MoC audit......................................31
Appendix 6 – User Feedback Page............................................................................................ 33
1 Introduction
1.1 Background
IMPORTANT: OVERRIDING OF SAFETY CRITICAL SYSTEMS IS ONE OF THE LIFE
SAVING RULES
Definition: An override can be considered as a device which when initiated will defeat
the safeguarding action. The device will be returned to normal condition at the original
set point(s) once the override is removed.
NOTE: An override can also be considered as any method where a protective function
is defeated either temporarily or permanently
During the Operations Phase it sometimes becomes necessary to apply overrides on
Safeguarding Systems. This operation requires to be strictly controlled and monitored.
In addition the action of applying overrides requires to be risk Assessed to ensure that
all necessary controls are in place to reduce any induced risks to As low As Reasonably
Practicable (ALARP).
1.2 Purpose
The purpose of the procedure shall be to ensure that Safeguarding System
Temporary Overrides are authorised, applied, monitored and removed in a correct
and controlled manner
1.3 Scope
The scope of this procedure will be the management of Safeguarding System
Temporary Overrides.
NOTE: The procedure does not apply to devices are specifically provided for start-up.
Operating Integrity Co- Carry out a monthly audit of all system Overrides using
ordinator (interior) standard form. See Appendix 5
Table 1 above provides the Authorisation Level for the proposed Temporary Override.
Where a SIL/IPF classification is not in place the authorisation level required will be
decided from the Residual Risk of the supporting RAM.
The use of the override will require being Risk Assessed using the PDO RAM. The
RAM will be attached to the Web based override request and sent with the request for
review and authorisation. The Risk Assessment Approver will be determined by the
residual risk i.e. Low = DTL or Delegate; Medium = Operations Manager; High/Serious
= Technical Director.
3.1.1 DTL Delegation of Signing Authority
To allow for periods when the DTL is not available due to leave, illness etc. and to
facilitate the application of overrides following an unplanned event there may be a
requirement for him to delegate his signing authority to the Production Coordinator.
The delegation of such authority shall be given using the E-MoC process for
Organizational Change with a validity period not exceeding 1 month
The authority shall not be delegated for planned events outwith this period
IMPORTANT: Routine work that is covered by an approved procedure and has already
been risk assessed, via IPF or SIL Classification, can use the original risk assessment
provided that the risks assessed have not changed and no changes have been made to
the way the work is conducted. All other types of safeguarding override i.e. multiple,
long term, process startup and stabilisation and non-routine activities shall require the
risks to be assessed using the standard RAM.
From the management of Change list in green select Process Overrides. This will open
the access screen.
The access screen contains information on all process overrides that have been raised
and the status of each. To open a new request use ‘Add new item’ at the foot of the
screen.
The basic form that is opened will be completed by the requester. It is important to
remember that all items on the form that have a * or which are highlighted I red are
required and must be completed for the form to be processed.
The Requested by box is automatically generated and will be the same as the logged
on person using the computer. Appendix 1 displays an actual Form that has been
completed and implemented and shall serve as a guidance template to completing the
request Form fully.
Displayed above is the portion of the form that is completed by the requester. There are
a number of multi choice ‘dropdown’ boxes indicated by the selection is made by
highlighting the choice and clicking the mouse.
To select the reviewer enter the persons company number and click on the man/tick
icon or the browse icon and select using the person’s name, highlight and then OK
Attachments shall be a Risk Assessment to support the use of the override (refer to
Section 3.1) and any other document i.e. Method Statement, that is considered relevant
to assisting the reviewers and approvers in understanding the Request. The
attachments are selected from the computer and automatically embedded in the form.
They accompany the Form throughout its life cycle.
Once the Request is completed it is electronically processed and sent to the Reviewer.
This action is accomplished by clicking
place for operational reasons. When the PTW is validated the next day the necessary
Temporary Process Override shall be re-applied. Application and removal of the
Overrides should be recorded by “ON” / “OFF” E-MoC function to provide evidence and
reflect real status of the Overrides in the Register (E-MoC)
The PTW has a validity of 14 days after which it is closed out or extended. In
conjunction with the PTW the Temporary Process Override can be extended. A total of
three extensions, normally authorised by the production Coordinator are allowed after
which the Process Override request shall be closed out. If after this period the override
is still required, an example being if waiting for spares, a new E-MoC shall be raised
with the PTW number being ‘Operations’. The justification for the override will be
updated with the expected return to service as will the risk assessment.
If the override is expected to be in place for over 12 months then a FCP (Facilities
Change Proposal) should be made to engineer out the requirement for the override.
NOTE: If the Temporary Override is required to be maintained when, in the case of an
unmanned station, the station is vacated then approval shall be obtained from the
Production Coordinator. When leaving Temporary Overrides in place a Risk
Assessment shall be required to ensure all risks are mitigated to ALARP and it can be
demonstrated the area control room is able to monitor the process effectively and
initiate any remote actions required. Failure to satisfy this requirement shall mean
manning or shutting down the station during the night hours.
See PR-1172 – Permit to Work Section 7 for details on PTW validity and isolations.
Appendix 3 – Abbreviations
The following abbreviations have been used in this procedure:
ALARP As Low As Reasonably Practicable
CAL (Yokogawa), calibration, can be used to freeze a process variable in the DCS
and disable alarming to allow maintenance and testing. This overrides the
function, including alarms, of associated control and/or calculation. If the function
has executive action then CAL is classed as an override.
EORD Engineering and Operations Reference Document
EPI Extended Period Isolation
FCP Field Change Proposal
IPF Instrumented Protection Function
IPS Instrumented Protection System
MoC Management of Change
MOPO Matrix of Permitted Operations
MOS Maintenance Override Switch
PLC Programmable Logic Controller
PTW Permit to Work
RAM Risk Assessment Matrix
SAP Systems, Applications and Products
Scan off (Honeywell), the technique used to stop an Experion server reading data from
controller/point parameters, such as PV, SP and OP. This overrides the function,
including alarms, calculation, and associated control. If the function has executive
action then scan off is classed as and override.
SIL Safety Integrity Level
TA Technical Authority