On July 27, 2007, approximately 85 gallons of highly radioactive waste was spilled at the Hanford Tank Farms in Hanford, Washington. Fortunately, no workers were in the area at the time of the spill, and the accident investigation team determined that the radiation exposure had been low. However, this accident could have been much worse had workers been in the immediate vicinity; in fact, the report stated that workers had been in the area only 10 minutes before the spill.


Schematic of the leak area (Credits: US Department of Energy).

Schematic of the leak area (Credits: US Department of Energy).

The cause of the accident according to the U.S. Department of Energy was overpressurization of a hose in a dilution line. Operators had been having difficulty restarting a pump, and the pump was run in reverse to clear the pump of clogs. The foot of the pump was clogged with waste during this operation, and some of that waste was forced to flow into a dilution line. Because of the waste in the line, the pressure increased and the line failed due to overpressure. The accident investigation board found that the safety analyses performed prior to the mishap had adequately identified accident scenarios and hazard controls associated with this accident. However, the requirements derived from the hazard analysis for backflow prevention were not properly interpreted or implemented. Therefore, proper isolation devices were not installed. The accident review team in particular noted that the design reviews were ineffective. Informal design teams were used rather than formal design reviews. Formal design reviews should have been conducted at intermediate steps of development, but this was not done, according to the investigation team. The accident report stated that when a subcontractor review team voiced concern about the possibility of overpressurization in a reverse pumping operation, that concern was ignored by the prime contractor. In addition, the prime contractor did not adequately review the design documentation, according to the accident investigation report.

Design Reviews

This accident points to the importance of design reviews as part of a broader systems engineering process, and shows why safety must be considered throughout the design process.

Because design and operational changes occur throughout development, safety activities must be integrated with the system development life cycle. Hazard analyses are meant to be updated as engineering proceeds to completion, and then they are updated as the system enters operation. In each program phase additional information is provided, hazards are refined, risks are reevaluated, mitigation measures are updated, and test plans are improved. For example, the National Aeronautics and Space Administration (NASA) typically uses the following distinctions for phased development as follows, with example safety activities at each step.

NASA Systems Engineering Handbook

Project life cycle with scheduled review points as laid out in the NASA Systems Engineering Handbook

Concept Development. The safety analysis process is initiated during the Concept Development phase and the Preliminary Hazard Analysis is performed.

Preliminary Design. The safety analysis process is continued and the safety review process is initiated during the Preliminary Design phase. The focus of the effort is to prepare the system safety analyses, identify all potential hazards and hazard causes, evaluate the means of eliminating, reducing, or controlling the risk (hazard controls), and establish the preliminary methods for verification of those controls.

Final Design and Fabrication. The focus in the Final Design phase is to prepare the updated analyses that reflect the detailed design and operations of the system. These analyses ensure that all hazards and hazard causes, and that all appropriate means for eliminating, reducing, or controlling the risk (hazard controls) have been identified and implemented. The updated analyses include specific methods of verifying each control (e.g., test, analysis, inspection) in verification plans and procedures.

System Assembly, Integration, and Test. The design safety analysis and review process are completed during the Assembly, Integration, and Test phase.

Operational and Sustaining Engineering. Safety analyses and reviews continue during the Operational and Sustaining Engineering phase to ensure that hazard reports and the associated data elements are maintained and current information is available for real-time and near real-time risk assessments.

Decommissioning, Disposal, or Recycle. During this phase the system has come to the end of its useful life and is ready to be taken out of service, or the system has failed or has been damaged. Safety analyses are conducted to determine the risks associated with disposal or decommissioning activities.

This is just one way to implement a phased approach. The phases of development and approaches to implementing safety will vary by project and organization.

At each of these phases, design reviews must be conducted. These reviews go by many different names, including System Requirements Review, Preliminary Design Review, Critical Design Review, and Operational Readiness Review, corresponding to completion of the phases described above. These design reviews offer opportunities to review critical aspects of the system and its operation. The design reviews should be formal, with “entrance” criteria describing information needed prior to the review, and success criteria to determine whether the review adequately covered critical items. The amount of detail and depth of the information covered in each phase will depend on the complexity of the program. Regardless of that level of detail, the design reviews should show that the safety analysis is a critical component of each phase of the system life cycle.


Efforts to assure the safety of complex systems require the use of a formal system safety program. That program is not a one-time activity, but rather is performed throughout the development life cycle. Design reviews must be conducted at major milestones, and safety must be integrated in those design reviews. Design reviews can uncover problems in requirements, analysis, implementation, testing, and operations. Design reviews are critical elements of the systems engineering process, and a failure to perform formal design reviews at each phase can result in a failure to uncover critical safety problems, as seen in the Hanford Tank Farms incident.


U.S. Department of Energy, Office of Health, Safety and Security, “Type A Accident Investigation Report, The July 27, 2007 Tank 241-S-102 Waste Spill at the Hanford Tank Farms,” Volume 1, September 2007.

National Aeronautics and Space Administration, NASA Systems Engineering Handbook, NASA/SP-2007-6105, 2007.


About the author

Terry Hardy

Twitter Facebook Website

Terry Hardy founded and leads efforts in system safety, software safety, and emergency management at Great Circle Analytics. Mr. Hardy has over 30 years of engineering experience and has performed engineering, safety, emergency management, and risk management activities for a number of commercial and government organizations including NASA and the U.S. Federal Aviation Administration. Mr. Hardy has created a web site, www.systemsafetyskeptic.com, to provide lessons learned in system safety, and he is author of several books on system safety including "The System Safety Skeptic: Lessons Learned in Safety Management and Engineering" and "Software and System Safety: Accidents, Incidents, and Lessons Learned."

Leave a Reply

Your email address will not be published. Required fields are marked *