A Bypass by Any Name is Risky. Time for a Rethink?

Abstract

Since the inception of the modern concept of safety instrumented systems there has always been the need to bypass for many reasons, such as during start up, during process transitions, for maintenance, testing, repair, or replacement of faulty instruments. Bypasses are also referred to as inhibits, suppressions, forcing, impairments, or bridging, but regardless of the name, the process of enacting a bypass is risky. Why? When Safety Instrumented Functions (SIF) are bypassed there is an increased risk to operating facilities associated with the loss of the specific safety function. The extent of the increased risk is dependent on the consequence of the hazard involved (e.g. rupture, explosion, toxic exposure) and the other protective layers that have been designed into the facility. Bypasses intentionally designed into an Emergency Shutdown System (ESD) must be strictly controlled to minimize the risk to people, production, the environment, and profits. But the act of bypassing isn’t new. Traditional bypassing methods vary, for example: Hardwired-initiated bypass: Dedicated switches are connected to the inputs of the safety system to deactivate sensors and actuators, and then handled as part of the application program.Sensors and actuators are electrically isolated (disconnected) from the PLC (e.g. using clamps) and checked manually by special measures.Software-initiated bypass: Maintenance overrides initiated by serial communication to the safety system via an operator interface such as BPCS, DCS, SIS engineering tools or an independent HMI.