Hazard Analysis: The BP Amoco Thermal Decomposition Incident


On March 13, 2001, three workers at the BP Amoco Polymers plant in Augusta, Georgia were killed when a partially unbolted cover blew off a containment vessel expelling hot plastic; the release caused tubing to break, which in turn caused a fire when hot liquid from the tubing ignited. This facility produced plastics, including Amodel, a high-performance nylon material. Prior to this incident workers were attempting to start up Amodel production, but the startup was aborted due to problems downstream of the reactor. When the process was aborted a large amount of partially reacted material had been sent to the polymer catch tank. This plastic continued to react inside the catch tank and decompose, generating gases and causing the contents to foam. Eventually the foam forced its way into pipes and emergency vents where it solidified. The resulting gases from the decomposition pressurized the vessel. Operators could not see that the tank was overpressurized because plastic in the vent line had solidified and blocked the pressure gauge port. Workers began to unbolt the polymer catch tank, believing the contents would be in solid form per previous experience. When half the bolts were removed the cover blew off, spewing hot plastic and leading to the fatalities and injuries.

Failed bolts from the polymer catch tank cover. (Credits: BP Amoco Polymers, Inc).

Failed bolts from the polymer catch tank cover (Credits: BP Amoco Polymers, Inc).


The United States Chemical Safety and Hazard Investigation Board (CSB) found in its investigation that operating staff had been unaware that Amodel could decompose and generate high pressure under these conditions. In addition, the CSB found that hazard analyses had not been performed to identify hazards from unintended and uncontrolled reactions, and the company did not address the hazards associated with reactivity and decomposition of the plastic. As such, personnel were unaware that safety systems such as vents, pressure relief devices, and monitoring devices could be made ineffective under certain conditions. Previous experience and near misses also had not been used to identify latent risks in the process. For example, operators found that drains often plugged with plastic residue, overfilling had occurred several times, and plastics inside the polymer catch tank caught fire on one occasion. The report also stated that startup procedures had changed prior to this accident. The new procedures increased the time in the polymer catch tank from 30 to 50 minutes. This increase in time increased the possibility of overfilling and allowed more time for the contents to react, thereby increasing the risks. The CSB stated that these procedures should have been subjected to Management of Change reviews to evaluate safety effects.

Hazard Analysis

Many factors contributed to this accident. Perhaps the most important factor however was a failure to use a systematic approach to analyze what could go wrong and identify potential safeguards to prevent a mishap, known as a hazard analysis. A hazard analysis is an examination of a system or subsystem to identify and classify each potential hazard according to its severity and likelihood of occurrence and to develop mitigation measures to those hazards. Common types of hazard analysis used in space systems include Preliminary Hazard Analyses, Subsystem Hazard Analysis, System Hazard Analysis, and Operating & Support Hazard Analysis. These types of analyses address what gets analyzed (a system, a subsystem, a process). Each type of analysis is supported by a number of tools. Tools address how the analysis is conducted, and what information comes from that analysis. The same tool (Fault Tree Analysis, Event Tree Analysis, etc.) can be used for each type of analysis.

The polymer catch tank cover blew off as a result of overpressurization.  (Credits: BP Amoco Polymers, Inc).

The polymer catch tank cover blew off as a result of overpressurization (Credits: BP Amoco Polymers, Inc).

The hazard analysis focuses on identification and evaluation of existing and potential hazardous conditions and provides recommended mitigations for the risks. Because design and operational changes occur throughout development, hazard analyses are meant to be updated as engineering proceeds to completion, and they are updated again as the system enters operation. The hazard analysis must be part of the complete development life cycle to be effective. A contributing factor to this accident was a failure to take life cycle changes into account; had analyses been performed personnel may have better understood how changes to the operation increased the risk.

The hazard analysis provides a number of definable outputs, including the following:

  • Identification of failure modes and conditions that can result in hazards and improper usage
  • Selection of pertinent criteria, requirements, or specifications
  • Determination of safety factors for trade-off considerations
  • Evaluation of hazardous designs and the establishment of corrective and preventative action priorities
  • Identification of safety problems in subsystem interfaces
  • Identification of factors leading to accidents
  • Assessment of the likelihood of hazardous events and the critical causes
  • Descriptions and rankings of the importance of risks

While hazard analyses are important tools in safety, they also have limitations. Some of those include the following:

  • Because of the complexity of the systems being analyzed and the changes that may occur to the systems, there can never be a guarantee that all hazards or causal factors have been identified.
  • Because the analysis is dependent on the judgment and experience of the analyst, and because the assumptions behind the analyses are not always clear, two different analysts with the same information may produce different results.
  • Because of the typically large amounts of complex information generated in the analysis, the results may be difficult to understand.
  • The analyses are dependent on the skill and experience of the analyst.
  • Hazard analyses are subjective.

These limitations do not invalidate hazard analyses, but the analyst should be aware of these limitations to gain a full understanding of risk.


Expelled polymer was scattered throughout the area, up to 70 feet from the polymer catch tank. (Credits: BP Amoco Polymers, Inc.)

Expelled polymer was scattered throughout the area, up to 70 feet from the polymer catch tank (Credits: BP Amoco Polymers, Inc.)

A system safety process is the way in which management and engineering implement the doctrine to assess hazards and reduce risks in complex systems. The heart of that system safety process is the hazard analysis. Hazard analyses can take many forms, and multiple tools are often used to assess safety from many different perspectives. Organizations must remember that the hazard analysis is a dynamic process, and is much more than a documentation activity. The hazard analysis is an iterative thought process that brings in past experience to understand how the current system, with its new configuration and operating conditions, can lead to harm. A failure to conduct a thorough hazard analysis can lead to a misunderstanding of the risks and may result in an accident such as the one described here.


U.S. Chemical Safety and Hazard Investigation Report, “Investigation Report: Thermal Decomposition Incident, BP Amoco Polymers, Inc., Augusta, Georgia, March 13, 2001,” Report No. 2001-03-I-GA, June 2002.

Feature image caption: KD-502 polymer catch tank (actual vessel with one cover removed)  (Credits: Amoco Polymers, Inc.).


About the author

Terry Hardy

Twitter Facebook Website

Terry Hardy founded and leads efforts in system safety, software safety, and emergency management at Great Circle Analytics. Mr. Hardy has over 30 years of engineering experience and has performed engineering, safety, emergency management, and risk management activities for a number of commercial and government organizations including NASA and the U.S. Federal Aviation Administration. Mr. Hardy has created a web site, www.systemsafetyskeptic.com, to provide lessons learned in system safety, and he is author of several books on system safety including "The System Safety Skeptic: Lessons Learned in Safety Management and Engineering" and "Software and System Safety: Accidents, Incidents, and Lessons Learned."

2 Responses

  1. Andrew Malcolm

    Really interesting article; the idea of one industry learning from another, especially where safety is concerned, is not a new one. What stood out to me though was the comment that FHA/ETA can be used for multiple analyses. Of course, that is correct, but I’d argue it’s not actually an appropriate tool for the case study. HAZOP would be a better approach (and in the process industry is most likely to be the tool used), for two reasons. One, it’s deterministic, and allows development of the fault sequences; the probabilistic assessment can come later, if necessary. Two, the article suggests that one practitioner would be carrying out the hazard analysis, but with HAZOP, you have multiple people engaged in the study to identify potential faults. In the end, one person has to bring it all together and write the safety argument, but they’re doing so on the back of multiple people providing an input at the key stages.

  2. Terry Hardy

    Thank you for your comments. I did not intend to exclude any particular analysis type, and I mentioned Functional Hazard Analysis and Event Tree Analysis only as examples. HAZOP is a common technique used in process safety, and may have been useful in this case to identify hazards. However, every analysis technique has its advantages and disadvantages. There is no such thing as one tool that is perfect for performing all system safety analyses, and some tools will be ineffective when placed in the wrong hands or used at the wrong stage of development. It is preferable to have experienced personnel working with their tool of choice, rather than seeking out the ideal tool. I also did not mean to imply that one person would conduct a hazard analysis alone. No one person can understand every aspect of a complicated system. One person acting alone may fail to uncover potential hazards and will represent only one viewpoint. System safety requires a team to be effective.

Leave a Reply

Your email address will not be published. Required fields are marked *