Section 01

Haward Technology Middle East
HIGH CLASS TRAINING FOR ENGINEERS
Safety Instrumented Systems

(SIS) & Layers of Protection
Mr. Sydney Thoresson
©2024 Haward Technology Middle East. This document is the property of the course instructor and/or Haward Technology Middle East. No
part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical,
photocopying, recording, or otherwise, without the prior written permission of Haward Technology Middle East
Safety Instrumented Systems (SIS)
& Layers of Protection
Course Objectives
▪ Upon the successful completion of this course, each
participant will be able to:-
• Apply and gain a comprehensive knowledge on
safety instrumented systems (SIS) and layers of
protection
• Discuss the role and importance of SIS as well as key
components and architecture
• Employ risk and hazard identification methods like
HAZOP, risk assessment and management strategies
• Carryout step-by step methodology of LOPA and
safety integrity level (SIL)
Section 1 Haward Technology Middle East 2

Course Objectives
• Recognize the relevant international and national
standards (like IEC 61508, IEC 61511) and
regulations governing SIS
• Apply reliability concepts, RAM analysis as well as
failure modes and effects analysis
• Discuss the principles and lifecycle management of
SIF design in oil and gas operations
• Identify the sensor types and logic solver
technologies used in oil and gas including its
practical considerations and challenges

Course Objectives
• Discuss the types of final control elements and
implement the criteria for selection and sizing in oil
and gas applications
• Apply strategies for system integration by designing
effective human-machine interfaces and addressing
human factors and ergonomics
• Assess functional safety and carryout key
performance indicators, metrics and strategies for
ongoing testing and validation
• Employ routine operation, maintenance strategies
and advanced troubleshooting techniques in
enhancing system reliability and availability

Course Objectives
• Implement safety lifecycle management as well as
advanced diagnostics and predictive maintenance
• Recognize cybersecurity threats, emerging
technologies and future trends

Section 1
Preface

Preface
TABLE OF CONTENTS
Case Studies
▪ Bhopal Gas Tragedy
▪ Piper Alpha Disaster
▪ Chernobyl Catastrophe
▪ Buncefield Oil Depot Explosion

Preface
Case Studies
BHOPAL GAS TRAGEDY
Bhopal

Preface
BHOPAL GAS TRAGEDY

▪ On the night of Dec 2nd and 3rd 1984, a Union Carbide
plant in Bhopal, India, began leaking 27 tons of the
deadly gas methyl isocyanate (MIC).
▪ None of the four layers of safety systems designed to
contain such a leak were operational allowing the gas to
spread throughout the city of Bhopal.

Preface
BHOPAL GAS TRAGEDY
▪ Regular maintenance had fallen into such disrepair that
on the evening of December 2nd, while an employee was
flushing a corroded pipeline, multiple stopcocks failed
and allowed water to flow freely into the largest MIC
tank.
▪ Exposure to this water soon led to an uncontrolled
reaction.
▪ The tank exploded and released a deadly cloud of MIC,
hydrogen cyanide, mono methyl amine and other
chemicals into the atmosphere.

Preface
BHOPAL GAS TRAGEDY

The individual failures were:
▪ Tanks were not kept below 50% full as required. This
appears to have been because the nitrogen transport
system was so full of leaks that it could not be
operated.
▪ The decontamination tower was off-line for
maintenance and had been for a week.

Preface
BHOPAL GAS TRAGEDY

The individual failures were:
▪ The refrigeration system had been turned off months
earlier, together with the alarm system, because the
Plant Manager did not believe that it was necessary to
keep the MIC at 5°C. The ambient temperature was
20°C.
▪ The flare stack was also out of service for
maintenance.

Preface
BHOPAL GAS TRAGEDY
Flare tower
Designed to burn off gas, but a
connecting pipe had been
Vent gas scrubber removed for maintenance
Leaking gas could have been
detoxified, but the scrubber
was turned off
Water curtain
Not high enough to
reach gas
MIC storage tanks Refrigeration system

40 tons in E610, 15 tons in E611, E619 Freon system to cool MIC was
was empty. Water leaked into E610 shut down in June 1984 to save
causing runaway heat producing reaction other plants

Preface
BHOPAL GAS TRAGEDY

▪ More than 8,000 people were killed due to exposure to
the lethal gasses in the immediate aftermath of the
disaster.
▪ More than 500,000 people exposed to the poison gasses
left to suffer a lifetime of ill health and mental
trauma.
▪ The death toll has since risen to more than 20,000
people.
▪ Nearly 30 people continue to die from exposure-
related illnesses every month.

Preface
BHOPAL GAS TRAGEDY

▪ At least 150,000 people, including children born to gas-
exposed parents, suffer debilitating exposure-related
health effects.
▪ Tons of poisonous pesticides and other hazardous
wastes lying scattered and abandoned in the DOW-
CARBIDE factory premises, insidiously poisoning the
ground water and contaminating the land.

Preface
BHOPAL GAS TRAGEDY

Preface
PIPER ALPHA DISASTER

Preface
▪ The Piper Alpha was a North Sea oil production platform
operated by Occidental Petroleum (Caledonia) Ltd.
▪ It accounted for around 10% of the oil and gas
production from the North Sea at the time.
▪ The platform began production in 1976 first as an oil
platform and then later converted to gas production. An
explosion and resulting fire destroyed it on July 6,
1988, killing 167 men. Total insured loss was $3.4
billion. To date it is the world’s worst offshore oil
disaster.
Preface
▪ A large fixed platform, Piper Alpha was situated on the
Piper Oilfield, approximately 120 miles (193 km)
northeast of Aberdeen in 474 feet (144 m) of water,
and comprised four modules separated by firewalls.
▪ For safety reasons the modules were organized so that
the most dangerous operations were distant from the
personnel areas. The conversion from oil to gas broke
this safety concept, with the result that sensitive areas
were brought together, for example the gas
compression was now next to the control room, which
played a role in the accident.

Preface

Preface
▪ It produced crude oil and natural gas from twenty four
wells for delivery to the Flotta Oil Terminal on Orkney
and to other installations by three separate pipelines.
▪ It hosted a complement of about 240 personnel.

Preface

▪ On 6th of July 1988, work began on one of two
condensate-injection pumps, designated A and B,
which were used to compress gas on the platform prior
to transportation of the gas to Flotta.
▪ A pressure safety valve was removed from Compressor
“A” for recalibration and re-certification and two blind
flanges were fitted onto the open pipework.
▪ The dayshift crew then finished for the day.

Preface

▪ During the evening of 6th July, pump “B” tripped and
the nightshift crew decided that pump “A” should be
brought back into service.
▪ Once the pump was operational, gas condensate leaked
from the two blind flanges and, at around 22:00 hours,
the gas ignited and exploded, causing fires and damage
to other areas with the further release of gas and oil.

Preface
▪ Some twenty minutes later, the Tartan gas riser failed
and a second major explosion occurred followed by
widespread fire.
▪ Fifty minutes later, at around 22:50 hours, the MCP-01
gas riser failed resulting in a third major explosion.
▪ Further explosions then ensued, followed by the
eventual structural collapse of a significant proportion
of the installation.
(MCP = Manifold Compression Platform)

Preface

▪ There is controversy about whether there was
sufficient time for more effective emergency
evacuation.
▪ People were still getting off the platform several hours
after the initial fires and explosions.
▪ The main problem was that most of the personnel who
had the authority to order evacuation had been killed
when the first explosion destroyed the control room.

Preface

▪ This was a consequence of design of the platform,
including the absence of blast walls.
▪ Another contributing factor was that a nearby platform
(the Tartan) continued to pump gas into the heart of
the fire until its pipeline ruptured in the heat.
▪ The operations crew on the Tartan did not have
authority to shut off production even though they
could see that Piper Alpha was burning.

Preface
▪ The nearby support vessel Lowland Cavalier reported
the initial explosion just before 22:00, and the second
explosion occurred just twenty two minutes later.
▪ By the time civil and military rescue helicopters
reached the scene, flames over one hundred metres in
height and visible as far as one hundred km away
prevented safe approach. A specialist fire-fighting
vessel, was able to approach the platform, but could
not prevent the rupture of the Tartan pipeline, about
two hours after the start of the disaster and was forced
to retreat due to the severity of the fire.

Preface

▪ Only after Tartan stopped pumping gas into the inferno
could Tharos once again come alongside. Tharos
recovered no one that night.
▪ Two crewmen from the designated standby vessel were
killed when an explosion on the platform destroyed
their "Fast Rescue Craft", which had recovered several
survivors from the waters underneath the platform.

Preface

Preface
CHERNOBYL CATASTROPHE

Preface
▪ On 25th April 1986, Soviet's Union Chernobyl nuclear
plant exploded letting out a massive amount of
radiation.
▪ At exactly 1:21 am. the no. 4 reactor exploded and
released thirty to forty times the radiation of the
Nagasaki and Hiroshima bombing.
▪ The exact causes of the explosion are not known,
however scientists and researchers, under thorough
investigation, have uncovered possible causes to the
explosion.

Preface
THE MAIN REASONS GIVEN FOR THIS DISASTER WERE:

1. The operators of the plant were attempting to conduct
an experiment with the emergency cooling system
turned off, they made a series of fatal errors which
sealed everyone's fate.

Preface
2. The technicians started reducing the reactor's power
level so they could run the turbine experiment.
However in order for the plant to run at lower power
they had to turn off the automatic control system,
which powered all emergency actions that the plant
should make in case it went out of control.

Preface
3. Their next fatal error was the turning off of the
automatic shut down system, which would turn off the
reactor.
4. At 1:23 am on Saturday April 26, the workers began
the actual experiment. They made the next error, by
turning off the last safety system.

Preface
5. It took the shift manager thirty seconds to realize
what was happening and shouted at another operators
to press button AZ-5 which would have driven all the
control rods back into the core, but because the rods
were melted from serious heat they did not fit
properly into the core.

Preface
6. Several loud banging noises were heard. Immediately

the one thousand tonne roof of the reactor blew sky
high and brought down the giant two hundred ton re-
fueling crane onto the core, destroying more cooling
systems and 30 fires spread around the plant.

Preface
7. Finally the over-heating and steam build up caused a

second explosion which destroyed the reactor and part
of the building.

Preface
8. The graphite began to burn ferociously once exposed
to air, as the core reached temperatures as high as
2,800°F. A massive amount of radioactive dust was let
out into the air which was picked by winds and was
carried thousands of miles into every direction.

Preface
▪ The official theory about the main cause of the
accident placed the blame solely on the power plant
operators.
▪ The operators violated plant procedures and were
ignorant of the safety requirements needed by the
RBMK design.
▪ This was partly due to their lack of knowledge of the
reactor's design as well as lack of experience and
training. Several procedural irregularities also
contributed to causing the accident.

Preface
▪ One further issue was that there was insufficient
communication between the safety officers and the
operators in charge of the experiment being run that
night.
▪ It is also important to note that the reactor operators
disabled every safety system down to the generators,
which the test was really about.

Preface
▪ Following the explosion, a
massive concrete "sarcophagus"
(cover) was constructed around
the damaged no.4 Reactor.
▪ This sarcophagus was designed
to halt the release of further
radiation into the atmosphere.
▪ But the encasement was
designed with a lifetime of only
20 to 30 years in mind.

Preface
BUNCEFIELD OIL DEPOT

EXPLOSION

Preface
BUNCEFIELD OIL DEPOT EXPLOSION

Overview
▪ In the early hours of Sunday 11th of December 2005, a
number of explosions occurred at Buncefield Oil
Storage Depot, Hemel Hempstead, Hertfordshire in the
south of England.
▪ At least one of the initial explosions was of massive
proportions and there was a large fire, which engulfed
a high proportion of the site.

Preface
Overview
▪ Over 40 people were injured; fortunately there were
no fatalities. Significant damage occurred to both
commercial and residential properties in the vicinity
and a large area around the site was evacuated on
emergency service advice.
▪ The fire burned for several days, destroying most of
the site and emitting large clouds of black smoke into
the atmosphere.

Preface
Detail
▪ Starting at 19:00 in the evening of 10 December Tank
912, towards the north west of the main depot, was
filled with unleaded petrol.
▪ At midnight the terminal closed, and a check was made
of the contents of tanks which found everything
normal.
▪ From about 03:00 the level gauge for Tank 912
indicated an unchanging level reading, despite filling
continuing at 550 cubic metres per hour (19,500 cu ft
per hour).

Preface
Detail
▪ Calculations show that at around 05:20 Tank 912 would
have been completely full and starting to overflow.
▪ Serious indications exist which suggest that the
protection system which should have shut off the
supply of petrol to the tank to prevent overfilling did
not operate.
▪ From this time onwards, continued pumping caused
fuel to cascade down the side of the tank and through
the air, leading to the rapid formation of a rich fuel/air
mixture that collected in the embankment Bund A.

Preface Fuel spills over deflector

plate
Ullage ventilation hole
Fuel is diverted toward the

tank wall by deflector plate
BUNCEFIELD OIL
DEPOT EXPLOSION
Droplet fragmentation
enhanced by intersection of
liquid and vapour sprays
Air loaded with fuel vapour

driven rapidly downward by
liquid spray
Increased surface area

allows volatile fractions to
evaporate and vapour
gathers in bund
Liquid fuel
gathers in band
Bund wall
Not to scale

Preface
Detail
▪ There is evidence suggesting that a high level switch,
which should have detected that the tank was full and
shut off the supply, failed to operate.
▪ CCTV footage shows a cloud of vapour 1 to 2 metres (3
to 7 feet) deep flowing away from the tank.
▪ By 06:01, when the first explosion occurred, the cloud
had spread beyond the boundaries of the site.

Preface

Findings
▪ On 23 May 2008 a High Court judge ruled that Total UK
was negligent over the cause of the explosion.
▪ Mr Justice David Steel issued a summary judgment
after hearing that both Total and Hertfordshire Oil
Storage Ltd (HOSL) had agreed that negligence was the
cause.

Preface
Findings
▪ Total UK claimed that the duty supervisor at the time
was responsible for the explosion, but refused to admit
either civil or criminal liability for the incident.
▪ Claimants, include insurance companies, small
businesses and about 280 families whose properties
were damaged or destroyed, are claiming up to £1
billion in damages.
▪ Total UK intends to argue that it should not be liable
for damages because it could not reasonably have
foreseen that it would cause the destruction it did.

Preface
Sequel
▪ Further investigation into the design
of the ultimate high level switch
indicated that the position of a test
lever or plate fitted to the switch is
critical to ensure continued effective
operation.
▪ While the relevance of this feature to
the Buncefield incident has still to be
TAV Level
determined, one of the issues that Switch
has arisen from these enquiries

relates to the reliance on this type of
switch at many similar installations.
Preface

Preface

Preface

Section 01

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Section 01

Uploaded by

Copyright:

Available Formats

Haward Technology Middle East

HIGH CLASS TRAINING FOR ENGINEERS

Safety Instrumented Systems

Section 1 Haward Technology Middle East 2

Section 1 Haward Technology Middle East 3

Section 1 Haward Technology Middle East 4

Section 1 Haward Technology Middle East 5

Section 1 Haward Technology Middle East 6

Section 1 Haward Technology Middle East 7

BHOPAL GAS TRAGEDY

Section 1 Haward Technology Middle East 8

BHOPAL GAS TRAGEDY

Section 1 Haward Technology Middle East 9

Section 1 Haward Technology Middle East 10

BHOPAL GAS TRAGEDY

Section 1 Haward Technology Middle East 11

BHOPAL GAS TRAGEDY

Section 1 Haward Technology Middle East 12

MIC storage tanks Refrigeration system

Section 1 Haward Technology Middle East 13

BHOPAL GAS TRAGEDY

Section 1 Haward Technology Middle East 14

BHOPAL GAS TRAGEDY

Section 1 Haward Technology Middle East 15

Section 1 Haward Technology Middle East 16

PIPER ALPHA DISASTER

Section 1 Haward Technology Middle East 17

Section 1 Haward Technology Middle East 19

Section 1 Haward Technology Middle East 20

Section 1 Haward Technology Middle East 21

PIPER ALPHA DISASTER

Section 1 Haward Technology Middle East 22

PIPER ALPHA DISASTER

Section 1 Haward Technology Middle East 23

Section 1 Haward Technology Middle East 24

PIPER ALPHA DISASTER

Section 1 Haward Technology Middle East 25

PIPER ALPHA DISASTER

Section 1 Haward Technology Middle East 26

Section 1 Haward Technology Middle East 27

PIPER ALPHA DISASTER

Section 1 Haward Technology Middle East 28

PIPER ALPHA DISASTER

Section 1 Haward Technology Middle East 29

Section 1 Haward Technology Middle East 30

Section 1 Haward Technology Middle East 31

THE MAIN REASONS GIVEN FOR THIS DISASTER WERE:

Section 1 Haward Technology Middle East 32

Section 1 Haward Technology Middle East 33

Section 1 Haward Technology Middle East 34

Section 1 Haward Technology Middle East 35

6. Several loud banging noises were heard. Immediately

Section 1 Haward Technology Middle East 36

7. Finally the over-heating and steam build up caused a

Section 1 Haward Technology Middle East 37

Section 1 Haward Technology Middle East 38

Section 1 Haward Technology Middle East 39

Section 1 Haward Technology Middle East 40

Section 1 Haward Technology Middle East 41

BUNCEFIELD OIL DEPOT

Section 1 Haward Technology Middle East 42

BUNCEFIELD OIL DEPOT EXPLOSION

Section 1 Haward Technology Middle East 43

Section 1 Haward Technology Middle East 44