On March 13, 2001, three workers at the BP Amoco Polymers plant in Augusta, Georgia were killed when a partially unbolted cover blew off a containment vessel expelling hot plastic; the release caused tubing to break, which in turn caused a fire when hot liquid from the tubing ignited. This facility produced plastics, including Amodel, a high-performance nylon material. Prior to this incident workers were attempting to start up Amodel production, but the startup was aborted due to problems downstream of the reactor. When the process was aborted a large amount of partially reacted material had been sent to the polymer catch tank. This plastic continued to react inside the catch tank and decompose, generating gases and causing the contents to foam. Eventually the foam forced its way into pipes and emergency vents where it solidified. The resulting gases from the decomposition pressurized the vessel. Operators could not see that the tank was overpressurized because plastic in the vent line had solidified and blocked the pressure gauge port. Workers began to unbolt the polymer catch tank, believing the contents would be in solid form per previous experience. When half the bolts were removed the cover blew off, spewing hot plastic and leading to the fatalities and injuries.

Failed bolts from the polymer catch tank cover (Credits: BP Amoco Polymers, Inc).

Investigation

The United States Chemical Safety and Hazard Investigation Board (CSB) found in its investigation that operating staff had been unaware that Amodel could decompose and generate high pressure under these conditions. In addition, the CSB found that hazard analyses had not been performed to identify hazards from unintended and uncontrolled reactions, and the company did not address the hazards associated with reactivity and decomposition of the plastic. As such, personnel were unaware that safety systems such as vents, pressure relief devices, and monitoring devices could be made ineffective under certain conditions. Previous experience and near misses also had not been used to identify latent risks in the process. For example, operators found that drains often plugged with plastic residue, overfilling had occurred several times, and plastics inside the polymer catch tank caught fire on one occasion. The report also stated that startup procedures had changed prior to this accident. The new procedures increased the time in the polymer catch tank from 30 to 50 minutes. This increase in time increased the possibility of overfilling and allowed more time for the contents to react, thereby increasing the risks. The CSB stated that these procedures should have been subjected to Management of Change reviews to evaluate safety effects.

Hazard Analysis

Many factors contributed to this accident. Perhaps the most important factor however was a failure to use a systematic approach to analyze what could go wrong and identify potential safeguards to prevent a mishap, known as a hazard analysis. A hazard analysis is an examination of a system or subsystem to identify and classify each potential hazard according to its severity and likelihood of occurrence and to develop mitigation measures to those hazards. Common types of hazard analysis used in space systems include Preliminary Hazard Analyses, Subsystem Hazard Analysis, System Hazard Analysis, and Operating & Support Hazard Analysis. These types of analyses address what gets analyzed (a system, a subsystem, a process). Each type of analysis is supported by a number of tools. Tools address how the analysis is conducted, and what information comes from that analysis. The same tool (Fault Tree Analysis, Event Tree Analysis, etc.) can be used for each type of analysis.

The polymer catch tank cover blew off as a result of overpressurization (Credits: BP Amoco Polymers, Inc).

The hazard analysis focuses on identification and evaluation of existing and potential hazardous conditions and provides recommended mitigations for the risks. Because design and operational changes occur throughout development, hazard analyses are meant to be updated as engineering proceeds to completion, and they are updated again as the system enters operation. The hazard analysis must be part of the complete development life cycle to be effective. A contributing factor to this accident was a failure to take life cycle changes into account; had analyses been performed personnel may have better understood how changes to the operation increased the risk.

The hazard analysis provides a number of definable outputs, including the following:

• Identification of failure modes and conditions that can result in hazards and improper usage
• Selection of pertinent criteria, requirements, or specifications
• Determination of safety factors for trade-off considerations
• Evaluation of hazardous designs and the establishment of corrective and preventative action priorities
• Identification of safety problems in subsystem interfaces
• Identification of factors leading to accidents
• Assessment of the likelihood of hazardous events and the critical causes
• Descriptions and rankings of the importance of risks

While hazard analyses are important tools in safety, they also have limitations. Some of those include the following:

• Because of the complexity of the systems being analyzed and the changes that may occur to the systems, there can never be a guarantee that all hazards or causal factors have been identified.
• Because the analysis is dependent on the judgment and experience of the analyst, and because the assumptions behind the analyses are not always clear, two different analysts with the same information may produce different results.
• Because of the typically large amounts of complex information generated in the analysis, the results may be difficult to understand.
• The analyses are dependent on the skill and experience of the analyst.
• Hazard analyses are subjective.

These limitations do not invalidate hazard analyses, but the analyst should be aware of these limitations to gain a full understanding of risk.

Summary

Expelled polymer was scattered throughout the area, up to 70 feet from the polymer catch tank (Credits: BP Amoco Polymers, Inc.)

A system safety process is the way in which management and engineering implement the doctrine to assess hazards and reduce risks in complex systems. The heart of that system safety process is the hazard analysis. Hazard analyses can take many forms, and multiple tools are often used to assess safety from many different perspectives. Organizations must remember that the hazard analysis is a dynamic process, and is much more than a documentation activity. The hazard analysis is an iterative thought process that brings in past experience to understand how the current system, with its new configuration and operating conditions, can lead to harm. A failure to conduct a thorough hazard analysis can lead to a misunderstanding of the risks and may result in an accident such as the one described here.

Reference

U.S. Chemical Safety and Hazard Investigation Report, “Investigation Report: Thermal Decomposition Incident, BP Amoco Polymers, Inc., Augusta, Georgia, March 13, 2001,” Report No. 2001-03-I-GA, June 2002.

Feature image caption: KD-502 polymer catch tank (actual vessel with one cover removed)  (Credits: Amoco Polymers, Inc.).