Cairo Engineering Team

Override Control

Module 10 (45 m).

Page 1/32
Objectives

• What are “Overrides”

• Why do we need override control
• Look at an override procedure
• Review the key objectives of the override procedure
• Review “Safety Override Risk Assessments” (SORA)
− What are they?
− When do we use them?
− What needs to be recorded in a SORA?
− When is a SORA generated and by whom?
• Have a brief look at eLogbook

Page 2
 A1

Override Definition

GN 30-813 Control of Overrides :

“An override is considered to be any arrangement that inhibits a

device or system from performing its protection function”

Other terms for “Override” include:

• Bypass
• Bypass Logic
• Start up Logic
• Defeat
• Force
• Inhibit

We will consider overrides for instrumented LoPs in this module

Page 3
Exercise - Bypasses 10 min

What are the types of override methods that

could be used to disable the operation of?
• Safety Instrumented Functions
• BPCS Alarms or control loops taken as
credit in LOPA?

Page 4
 Examples of Overrides

• Purposely designed override switches

− e.g. “enable” key switches, HMI software buttons, etc.
− Note: these are normally override enables not overrides
• Forced (over written) software values/database system blocks
• Temporarily wired links or “jumpers”
• Start-up override without auto timer resets
• Alarm Shelving of a “safety related alarms” or “mitigation alarms”
• Use of valve bypass lines around valves
• Placing LoP Controllers in manual
• Using a handjack (handwheel) on a SIF or other LoP valve
• Valve jammers or valve clamp
• Forcing transmitter signals using handheld
• Override of Fire & Gas devices (e.g. optical fire & gas detectors)
− Avoid beam blocking when building scaffolding
• Faulty equipment (e.g. ignoring an instrument known to be reading inaccurately)
• Isolated equipment (e.g. isolation on measurement equipment)

Page 5
 A2

A typical facility and its protection

Prevention Prevention
ESD

LZHH
LAH
Gas Prevention
LIC
Control
Mitigation

GZ

Indicates Mitigation
managed
override
• A typical facility will have a range of barriers to prevent Loss of Primary Containment
(LoPC), e.g. a ruptured vessel which spills its contents
• It will also have a range of barriers to mitigate the LoPC
• If taking any of these out of service, you are overriding an LoP

Page 6
 All layers of protection in place

Prevention LoPs Mitigation LoPs RISK

High
Control Alarm + SIF Pressure Leak Fire and Bunds/ Emergency
Loop Operator Relief Detection Gas Dykes Response
Response Detection Plan

• A typical facility will have layers of protection to prevent an LOPC

Low
• It will have layers of mitigation to prevent LOPC escalating into a
fire
• With all barriers in place, the overall risk is low

Page 7
 A1

Fire and Gas Detection taken out for maintenance

Prevention LoPs Mitigation LoPs RISK

High
Control Alarm + SIF Pressure Leak Fire and Bunds/ Emergency
Loop Operator Relief Detection Gas Dykes Response
Response Detection Plan

• Now what happens if we override the Fire and Gas Detection for
Low
maintenance?
• The risk will go up, because that layer is not longer present
• It is important that this situation is not left for a long period because
we may be exceeding the tolerable risk level
Page 8
 A1

Temporary mitigation put in place

Prevention LoPs Mitigation LoPs RISK

High
Control Alarm + SIF Pressure Leak Manual Bunds/ Emergency
Loop Operator Relief Detection Gas Dykes Response
Response Detection Plan

• We could put in a temporary mitigation, such as manual gas

Low
detection.
• This will bring the risk back down – but probably not all of the way

Page 9/32
 A1

Another layer is taken out

Prevention LoPs Mitigation LoPs RISK

High
Control Alarm + SIF Pressure Leak Manual Bunds/ Emergency
Loop Operator Relief Detection Gas Dykes Response
Response Detection Plan

• If the SIF were to be removed from service – perhaps due to failed

equipment – then the risk will increase, perhaps to an untolerably high risk Low
level
• If the increased risk is above the tolerable risk limit, and can’t be
temporarily mitigated, it may be necessary to reinstate the fire and gas
detection or shut down production
Page 10/32
 Implications of Overrides

• When a layer of protection is overridden, the risk associated with the

associated hazard increases
• The duration of an override is important – the longer it is in place, the
longer the risk is higher than normal
• Temporary mitigation can be put in place but:
− It may not be as good at reducing risk
− It may not be practical for long periods (e.g. manual monitoring)
− It may increase the severity of the hazard (e.g. by putting a person close
to the plant)
• Effective management of overrides must be carefully identified, risk
assessed, prepared, applied, reviewed and removed with the appropriate
level of auditing under a continuous improvement cycle

Page 11/32
Override Procedure – Typical ‘Best Practice’ Workflow

1. Requirement • Effective management of overrides should

follow a defined and effective workflow
2. Risk Assessment • There needs to be effective coordination of work
(SORA)
across all crews and activities
3. Prepare to Work
− To stay within tolerable risk
− To avoid logistics interference
4. Apply Override

• Each of these steps will be reviewed in some

5. Review Override detail in the following slides

6. Work Completed

7. Audit

8. Continuous Improvement
Page 12/32
1. Identify the requirement for the override

1. Requirement • Functional testing or proof tests

• Maintenance (preventative or repair)
2. Risk Assessment
(SORA) • Operational (e.g. start-up)
• Ensure sufficient challenge to whether the
3. Prepare to Work override is actually required

4. Apply Override

5. Review Override

6. Work Completed

7. Audit

8. Continuous Improvement
Page 13/32
2. Risk Assessment

1. Requirement • Assessment must be adequate in relation to the

risk reduction being removed
2. Risk Assessment • Identify the hazards in taking Layer of Protection
(SORA)
out of service
• Determine safe operational conditions
3. Prepare to Work
• Identify mitigation(s), to be “proportionate” to
4. Apply Override
hazard
• Consider risk and appropriate equivalent
5. Review Override compensating measures
• Obtain approval for the risk assessment and
6. Work Completed override
• Determine time to be overridden (e.g. SIF MTTR)
7. Audit • Identify other LoPs that need to be in working
order
8. Continuous Improvement
Page 14/32
 3. Prepare to Work

1. Requirement • Work procedures should follow existing Control

of Work processes
2. Risk Assessment • Plan work
(SORA)
• Obtain permit to work
3. Prepare to Work • Carry out briefings/toolbox talks

4. Apply Override

5. Review Override

6. Work Completed

7. Audit

8. Continuous Improvement
SIS Ops & Maintenance – Override Control Module 10 Page 15/32
4. Apply Override

1. Requirement • Supervisor (or other designated approver)

approves override
2. Risk Assessment • Operators to show that they are aware of override
(SORA)
and mitigation
• Log override in the normal system (e.g.
3. Prepare to Work
eLogBook)
• Log should include cross-reference to risk
4. Apply Override
assessment / permit to work(s)
5. Review Override • Check that the necessary override conditions
stated are achieved
6. Work Completed • Operator must be able to see all overrides that are
in place
7. Audit • Override can now be applied

8. Continuous Improvement
Page 16/32
5. Review Override

1. Requirement • Overrides must be reviewed at shift change, with

a record made of operator awareness when
2. Risk Assessment starting shift
(SORA)
• Facility engineers should also have access to
override log
3. Prepare to Work
• Check override has not exceeded the time limit
(e.g. 96 hours)
4. Apply Override
• Check that the override has been removed after
work has been completed
5. Review Override
• If override is on because of a fault, check that
6. Work Completed
work is being progress to repair it

7. Audit

8. Continuous Improvement
Page 17/32
6. Work Completed

1. Requirement • Inform Supervisor and Operators

• Remove Override
2. Risk Assessment
(SORA) • Update Log
• Close out permits
3. Prepare to Work

4. Apply Override

5. Review Override

6. Work Completed

7. Audit

8. Continuous Improvement
Page 18/32
7. Audit

1. Requirement • Regular audits should ensure no overrides are left

on beyond their time, or when not required
2. Risk Assessment • Audits ensure that the procedure is being
(SORA)
followed
• Audits will require adequate access to the
3. Prepare to Work
override information
• The log should provide a full audit trail of each
4. Apply Override
override, to include:
− What (equipment overridden)
5. Review Override
− Why (purpose)
6. Work Completed
− When (time, date and duration)
− Who (personnel involved in requesting,
7. Audit reviewing, implementing)

8. Continuous Improvement
Page 19/32
8. Continuous Improvement

1. Requirement • Maintain Key Performance Indicators (KPIs)

related to overrides
2. Risk Assessment − E.g. average number in place, average override
(SORA)
duration, number of overrides, etc.
• Identify “worst offending” overrides and engineer
3. Prepare to Work
solution
• Set targets and trend results
4. Apply Override
• Determine the cumulative time that any override
5. Review Override
has been applied so that it can be compared with
design assumptions
6. Work Completed

7. Audit

8. Continuous Improvement
Page 20/32
 Override-Equivalent Compensating Measures

• When bypassing or taking an LoP out of service “equivalent compensating

measures” should be considered as part of the risk assessment, in order to
manage the risk to a tolerable level
• The following are some examples (not an all inclusive list) of potential
equivalent compensating measures:
LoP Removed From Potential Equivalent Compensating Measures
Service

SIL 1 SIF, Manual observation of a local indicator and action (e.g. manual valve)
Alarm/operator action, Removing people from the hazard area
Control loop Increased control of potential initiating causes

SIL 2 SIF Two of the above compensating measures

SIL 3 SIF Should not be taken out of service when operating since this level of
equivalent compensating measures are difficult to achieve.

Page 21/32
 Safety Override Considerations

• Focus here is Safety Instrumented Systems, but the same

principles apply to any LoP, such as alarms or control loops
credited in LOPA
− Should also apply to relief valves, fire and gas detectors, etc.
(ie any LoP that provides risk reduction and is to be defeated)
• If an override is always needed for start-up, consider a
permanently engineered start-up override
• If an override remains is necessary for an extended period of time,
MOC should be performed
− time varies by facility but is often ~96 hours
− A ‘Mean Time To Repair’ number was assumed in the
design calculations for SIFs and MOC should be performed
if MTTR is exceeded

Page 22/32
 Safety Override and Risk Assessment - SORA

• SORA is key element to risk management when overriding a LoP

• Note: some regions use different terms:
− IORA – Integrity Override Risk Assessment
− TORA – Trip Override Risk Assessment
• SORA must be conducted before override is applied
− goal is to manage the risk to a tolerable level by temporarily putting in
place alternate LoPs (often referred to as ‘equivalent compensating
measures’)
• Ideally, SORAs should be pre-prepared and ready for use for each LoP
• Where LoPs a pre-prepared SORA is not available, one will need to be done
prior to initiating the override
• Typically SORA not needed if override is in managed/covered in start-up
procedures
• Pre-prepared SORAs should be reviewed periodically (e.g. every 5 years
similar to HAZOP)

Page 23/32
 Generation of a SORA

• Generate SORA in an organised override risk review prior to needing to initiate the
override.
• Review participants will typically include (but varies depending on LoP):
− Process Safety Engineer
− Process Engineer
− Operations Engineer
− Instrument and Protective Systems Engineer or Control and Automation Engineer
− An experienced Operator
• Use the latest HAZOP and LOPA
• All SORAs should be approved for use by the Process Safety Engineer or other designee.
• A SORA may be generated for specific maintenance routines which contain one or more
overrides
− this is a good idea because then the risk of the whole activity can be considered

Page 24/32
Reusing SORAs

• An approved SORA can be used over and over if:

- Required process conditions are met
- Mitigation requirements can be implemented
- Other LoPs related to the associated hazard are functional
- Site controller (supervisor) signs off

Page 25/32
Override Key Performance Indicators (KPIs)

• KPIs should be maintained to track override performance.

• At a facility level there are many KPIs reported
• Typical KPIs are:
− The number of overrides that have occurred a period
− The duration of overrides
− The number of overrides exceeding allowed time
• KPIs should be trended over time to see whether the use of overrides or
their duration is increasing or decreasing
• Investigating the time when overrides are set or removed can also show
systematic influences of things like shift preferences, day time or night
time working, handover periods, or even lunch breaks

Page 26/32
GN 30-813 SORA Example – this is typical, yours may be
different

Page 27/32
GN 30-813 SORA Example Continued– this is typical,
yours may be different

Page 28
 Urgent Generation of a new SORA
• Sometimes, a prepared SORA will not be available, and an override needs to be
applied urgently
• This is sometimes called an Emergency SORA
• The process below can be used
New SORA generated by shift team

Temporary application of override

(1 shift)
The Site Controller may extend this period by Engineering review to be led by the
re-authorizing the temporary SORA for each
Process Safety Engineer
shift
(call out may be required)
Normal application of the override

Approval/Endorsement

Store for future use

Repeated use of SORA following
revalidation
Page 29/32
 Override Decision Tree (based on Andrew Asset and NS practices)
For Reference Only

Override Covered Yes Additional Risk Ensure eLog is

Required? by Start-Up Assessment (SORA) updated
Procedure? not required.
i.e. Plant is isolated
SORA No for maintenance
exists No e.g. test sep offline
Is override Complete SORA Record isolation in
Yes
Yes
For offline Plant? (SIL rated device eLogbook
Use existing overridden).
SORA
No
NOTE: These overrides
Override on Yes will not be counted as
No Is override
for more than a “Long Term” Overrides
SIL Rated?
No shift?
SIL SIL SIL
1 2 3
Yes

Complete SORA To Complete SORA

risk assess prolonged Approved by:
Ops with Override Will not be overridden

Record isolation in
No requirement to
eLogbook
complete SORA, Override to be reported
as an SDO in eLog to the Process Engineer

Non SIL override in place SIL rated overrides in Request Asset Process Eng to Update eLogbook
for > 28 days requires place > 96 hours require implement eMOC/ORA before the with eMOC/ORA
reclassification to “Long classification to “Long 96 hours expires to justify continued number
Term”. Term” operation

Page 30/32
Summary - Override Control

• Override - any arrangement that inhibits a device or system from

performing its protection function.
− can be applied to preventative barriers or mitigating barriers
• Alternative LoPs can be put in place, but may not be as effective
• Time that an override is left on must be minimised
− MOC is performed if time if override is required longer term
• Applying overrides must follow the defined override procedure
• Before and override is applied, it must be assessed with a Safety Override
and Risk Assessment (SORA)
− This allows risk to be managed to a tolerable level by putting in place
equivalent compensating measures
• SORAs should ideally be pre-prepared and ready for use for each LoP

Page 31/32
Useful reading, contacts and websites
• GN 30-813 Control of Overrides
− http://
etplib.bpweb.bp.com/login/IntegratedLogin.jsp?docNumber=GN%2030-813&docType=g
n
• SharePoint Link to eLogbook
− https://epti.bpglobal.com/C19/eLogbook/default.aspx
• Contact link to Brett Grange (eLogbook Custodian)
− Brett Grange, brett.grange@uk.bp.com Tel: +44 (01932) 775912
• GDP 3.1-0001 Assessment, Prioritization and Management of Risk
− http://
omslibrary.bpweb.bp.com/GroupOMSLibrary/Requirement/GDP/GDP_3_1_0001.doc
• GDP 4.5-0001 Control of Work – Listed Under Group Defined Practice in the link below:
− http://omslibrary.bpweb.bp.com/Pages/GroupDefinedPractices.aspx
• GN 30-81 Safety Instrumented Systems (SIS) - Listed Under Group Defined Practice in the
link below:
− http://etplib.bpweb.bp.com/view/ViewDocumentFrameSetOffline.jsp?
native=true&docType=etp&docID=0900a866802fbcb3

Page 32/32