The Defense in Depth (DiD) is a classical defensive concept currently applied to a variety of technical fields, including nuclear (where this concept is widely applied) and chemical industry, Information and Communication Technology (ICT), transport, and many others. It deals with slowdown of the progression of an “attack” against a “target” by using multiple and independent levels of protection (or lines of defense), designed to compensate for the failure of one or more defenses, ensuring that the risks are kept acceptable. Concerning the current practices for the DiD implementation and the rationale for its evolution, there is a shared recognition that the reinforcement of DiD is the key to improve the safety of future installations for all types of technologies and industries. Within this context, the results of Probabilistic Safety Assessment (PSA) play a key role in the demonstration of both the robustness of the design and safety, supporting the verification that the DiD principles are correctly implemented. A key issue, still open, is related to the link that must be put in place to provide the DiD probabilistic success criteria through PSA insights. After an analysis of DiD evolution in time and DiD application to different industrial fields, this paper deals with the key issue, still open, relevant to the link that must be put in place to provide the DiD probabilistic success criteria through PSA insights. Practical proposals outlined point out the open questions.
The Defense in Depth (DiD) originated in military arena as a defensive strategy aimed to protect the population while preserving the effectiveness of defense installations1. It deals with slowdown of the progression of an attack by using different successive layers, such as fortifications, troops, and field works, instead of concentrating all resources onto a single defensive line. The concept is currently applied to nuclear, chemical, ICT, transport, and others fields. The central idea of DiD is the implementation of multiple and independent levels of protection (or lines of defense) [
Nuclear Power Plants (NPPs) present high energy density, ionizing radiations and the presence of a source term which can be mobilized in case of accident. Consequently, DiDhas fulfilled a primary role in promoting and implementing safety and security measures. The term was first introduced in the 1970s [
1Historians tell stories of a technique of “defense in depth” that was used in 2900 BCE to Hierakonpolis in Egypt, based on a defense involving parallel and independent walls to strengthen the protection of the city.
2In the field of industrial safety, “risk” is defined as the likelihood to see a hazard to be materialized in one or more scenarios associated with adverse consequences. The “level of risk” is then quantified by evaluating the probability of each scenario and the amplitude of the gravity of the corresponding consequences: Risk = Probability x Severity.
3The “plant condition” is defined as a specific Initiating Event associated to a given state of the installation (nominal operation, shutdown, maintenance, etc.). The possible abnormal behavior of the provisions which are implemented to manage the plant condition generates the incidental and accidental scenarios.
Initially, the DiD was seen as a set of independent physical barriers (cladding, vessel, containment, …). To address the lack of data on barrier’s performances and effectiveness, i.e. the uncertainties about the safety features, these barriers were conservatively designed (introducing safety margins) and implemented guaranteeing, as far as feasible, independency, diversity and functional redundancy, characterizing the DiD with a deterministic connotation. Although this deterministic connotation is not a peculiarity of DiD, for long time it has been the unique DiD interpretation key. With INSAG-10 [
4i.e. not necessarily with reference to their plausible character.
5Cf. Liebmann (1996): “The concept of defense in depth is not only a guide for the review of a particular technical solution as, for example, a set of singular barriers, but a method of reasoning and a general frame- work to examine more fully the entire facility, both for its design and for its analysis”; Libmann J. Eléments de sûreténucléaire. 1 janvier 1996.
6Conservative approach for the DBA and Best estimated approach, coupled with the assessment of uncertainties, for the DEC.
7It also recognizes the possibility to relax some design constraints for “rare” events, accepting the loss of the system operability but guarantying the required safety function(s).
The state of the art of the DiD in the nuclear field can be fixed through works carried out by three of the main nuclear institutions/regulatory bodies: the International Atomic Energy Agency (IAEA), the U.S. Nuclear Regulatory Commission (NRC), and the Western European Nuclear Regulators Association (WENRA). Despite the fact that no univocal definitions are available, interpretations and insights from these bodies can help to fix the concept.
One of the IAEA main missions is to promote safety in nuclear industry, by providing objectives and high standard requirements. The current definition of the DiD, stated within the IAEA Safety Fundamentals―N˚ SF-1 [
The NRC is responsible for licensing U.S. NPPs and supervising their safety. Nuclear safety regulations are grouped into the number 10 of the American Code of Federal Regulations (CFR). The implementation and maintaining of the DiD is one of the focal points of these regulations. A current definition for DiD states: “Defense-in-depth is an element of the NRC’s Safety Philosophy that employs successive compensatory measures to prevent accidents or lessen the effects of damage if a malfunction or accident occurs at a nuclear facility. The NRC’s Safety Philosophy ensures that the public is adequately protected and that emergency plans surrounding a nuclear facility are well conceived and will work. Moreover, the philosophy ensures that safety will not be wholly dependent on any single element of the design, construction, maintenance, or operation of a nuclear facility” [
WENRA promotes nuclear safety harmonization between Western European Regulators [
After the publication of NUREG-75/014 (WASH-1400) in 1975, a “Risk informed” approach for the design and the assessment took the place of the “Classical” DiD, with the objective of integrating insights from the former (
The “Classical” (elsewhere “structuralist [
The design of GIF system shall comply with the DiD and its principles in order to achieve safety robustness, thereby helping to ensure that nuclear systems do not exhibit any particularly dominant risky [
8The notion is consistent with that of “layers of provisions” discussed by the IAEA safety standards (e.g. IAEA-Safety of Nuclear Power Plants: Design; No. SSR-2/1 Specific Safety Requirements; Vienna 2012) when addressing the concept of DiD and the content of DiD levels.
A pillar of the ISAM methodology is the notion of safety architecture, based on that of Line of Protection (LOP)8: for each initiating event and plant condition, and for each safety function, the representation of the safety architecture shall allow the designer to clearly identify, for each of the DiD levels, the set of provisions which, together, will achieve the requested mission, i.e. to meet the corresponding safety objectives. For a given level of the DiD, the LOP assembles the set of provisions and, for the initiator and safety function under consideration, materializes the content of the DiD level. Two ISAM tools are more specifically related to safety architecture and DiD [
The Qualitative Safety Features Review (QSR): it is structured following the DiD levels, provides a systematic mean of ensuring and documenting that the evolving GIF concept of design, incorporates the desirable safety attributes and characteristics.
The Objective Provision Tree (OPT,
The matching of the objective formulated by INSAG 25 for making a decision through an integrated risk informed approach needs the harmonization in understanding the content of the DiD and its implementation. As such, the use of risk space, as a means to merge the deterministic and probabilistic approaches, appears as a key step, especially concerning the DiD evolution for GIF systems. ISAM provides the tools which will help the designer to construct a DiD architectures, and the analyst to assess the pertinence of the solutions.
9The leading designs of facilities for controlled-fusion research use magnetic or inertial confinement. Magnetic confinement attempts to create the conditions needed for fusion energy production by using the electrical conductivity of plasma to contain it by magnetic fields.
Two fusion machines-TFTR and JET, both based on Tokamak design9-have been involved licensing procedures. Currently, the Deuterium-Tritium machine, ITER, is under construction in France. Even if the ITER licensing represents the first procedure for a fusion facility managing a significant Tritium inventory, the demonstration of safety
of fusion facilities is supported by experiences made in nuclear fission. Compared to fission, fusion is believed to have favorable safety and environmental characteristics [
- the use of conservative design practices, the application of quality assurance and the promotion of a positive safety culture;
- provisions for the control of abnormal operation and the detection of failures that could lead to damage to confinement barriers;
- safety systems and protective systems;
- accident management provisions.
Safety analyses aim at demonstrating that the foreseen provisions for implementing the DID levels allow keeping the facility below the safety limits during normal and incidental conditions; in this framework, they provide evidence of the capability of the adopted confinements to avoid dispersion of dangerous materials10 [
10Environmental hazards come from different sources: neutronic fluxes during plasma operation; radioactive products, including tritium, activated materials and dusts, activated corrosion products and gas; chemical materials, toxic and cryogenic ones, such as beryllium, hydrogen, ozone, inert gas, insulator gas, ….
11A sequence of events is a “beyond-design- basis” accidents either if the expected frequency of the initiating event is below a threshold (10-6 /yr) or if an event considered within design basis is further degraded by assuming a further independent aggravating failure of a component or system needed in the response to the event.
margins in BDBA situations and to demonstrate the absence of cliff-edge effects [
The safety assessment of ITER is based on a set of accidental sequences, conservatively selected on a deterministic basis. Techniques for deterministic safety analysis have been used to determine a fully representative set of reference events, just supplemented by techniques of probabilistic assessment to check its comprehensiveness. Each sequence starts with a postulated initiating event, adds all consequential failures, up to the release into the environment. Consistently with DiD, the rationale for the selection of reference events consists firstly of the identification of every radiological source and its confinement barriers; failure of one or several of these barriers may then be presumed and a scenario defined; consequences are evaluated and compared with safety objectives [
12Despite the difference in number-three lines for the chemical plants versus the five lines requested for the NPP-, one can consider that the basic DiD principle are exactly the same.
The safety approach for chemical industry is characterized by the scope of interrupting the escalation of initiating events into hazardous conditions, largely in accordance with the nuclear one. In the USA, the Occupational Safety and Health Administration and the Environment Protection Agency have established the Process Safety Management (Title 29 of CFR Section 1910.119), and the Risk Management Program (RMP) (Title 40 CFR Part 68) regulations, respectively, which provide the requirements to insure compliance and acceptability of highly hazardous chemical processes. DiD is not mentioned explicitly, but DiD philosophy is clearly observed throughout the implementation of lines of defense (or layers of defense) that are aimed to reduce the risk associated with major accidents and, therefore, prevent their likelihoods of occurrences and/or mitigate their consequences. The concept of lines of defense was introduced in 1993 by the American Institute of Chemical Engineers (AIChe) [
The LOPA methodology is in compliance with the PSM (and the RMP), and promoted with the DiD principle. It has been developed from the concept of lines of defense, with the aim of:
- Determine if a protection layer meets the IPL requirements,
- Estimate the risk of severe accidents,
- Assess the adequacy in terms of physical performances and reliability of the IPLs to adequately reduce the risk of an accident [
The LOPA comes systematically in conjunction with an initial qualitative analysis― the Preliminary Hazard Analysis―and can be followed by a Quantitative Risk Analysis (QRA). For that reason, it is considered a semi-quantitative method, obtaining risk values that―nevertheless―may be orders of magnitude larger than the QRA ones14. The way the LOPA addresses the IPLs represents an implicit estimation of the DiD effectiveness. A Probability Failure on Demand (PFD) is allocated to each IPL, accounting for its reliability to perform a specific function on demand. The PFD is a pure number varying from 0 to 1, with the smaller the number the larger the Risk Reduction Factor of the undesired consequence [
13The analogies between the LOP notion, as introduced by the GIF/RSWG, and the LOPA methodology, as discussed here, deserve deep analysis.
14The LOPA analysis generates results that are “orders of magnitude” more important than those that are expected from the quantitative analysis, i.e. with a conservatism that might seem excessive. Nevertheless, the LOPA is very simple and easy to apply and this is why it generates considerable interest, because the quantitative risk analysis, except in rare cases, can be excessively expensive.
15The SIL is an integer (varying from a minimum of 1 to a maximum of 4) which expresses the level of RRF provided by an IPL.
16In the ICT, a threat is considered as an attack that has the potential to cause harms to a system asset, jeopardizing its productivity. Generally, four types of threats exist: physical, environmental, site-related, and technical.
17Vulnerability is a system weakness that can be exploited by threats to cause harms to the asset [
Due to the recent development of the Information and Communication Technology (ICT), information security has become extremely important. Security measures, criteria, and strategies have been established with the aim of keeping the system assets (information and data): Confidential, Intact, and Available (i.e. the CIA Triad), and to reduce the risk of being exposed to threats16. ICT security has given a major attention to those threats that can affect the system from inside, i.e. the technical threats, such as malware, improper system operations, etc. This is due to the fact that the internal threats represent the most rapid and easiest way of causing harms and that they are characterized by a high degree of uncertainty (or “element of surprise” [
- Exploring systematically the system vulnerabilities17,
- Gathering the major number of information regarding threats and potential attackers, reducing the element of surprise,
- Identifying protection and response measures.
The implementation of multiple levels of defense blends in well with the original DiD approach, as conceptualized in the military arena, provided that the notions of threats, system vulnerabilities, and assets to protect are thoroughly understood. The ICT security relies upon the whole security architecture system. According to the DiD concept in the nuclear and chemical industries, at least three main levels or functions are required to successfully implement a security architecture within the ICT [
Implementing the DiD means firstly carry out a risk analysis, with the aim of:
- Classifying the system assets (data and information) according to their importance,
- Identifying and understanding the threats and evaluating their severities,
- Establishing a degree of system vulnerability, as a function of the associated risk, calculated for each threat-asset pair.
The number, the quality and the reliability of the levels implemented will be in compliance with the value of risk calculated and the allowable degree of uncertainty. It should be noticed that, if the threats identification is too imprecise (and the element of surprise prevalent), a greater worth will be given to the deterministic approach, respect to PSA.
18The notion of “prevention”, while non-explicit within the Ref. [
19i.e. looking for exhaustiveness.
As a result of the recent rise of constraints and potential consequences influencing a transport system, the French public transport operator, Régie Autonomes des Transports Parisiens (RATP), which has always been reliable in managing safety and security activities, has decided to improve its operations by implementing a DiD approach. RATP considers the DiD as: “the set of provisions and means organized, contributing to the control of the potential final effects susceptible to be created by all forms of aggressions on sensitive elements”, and the: “global and dynamic defense, implementing several coordinates lines of defense, against internal and external aggressions, potential or proven―and that on all the cycle of life of the transport system” [
- The attacker (or the threat),
- The aggressive flow (generated by the attack),
- The sensitive element (or the system vulnerability).
20In this figure the possible bypass of an “element of defense” (e.g. the “line failure state” (the dotted orange line) that goes through the “line of protection”) should be clarified.
deterministic approach (0% probabilistic, 100% deterministic), which is substantially overcome from the adoption of DiD principles; “Classical” DiD does not coincide with the upper-left corner because of a non-null intrinsic contribution of the probabilistic approach. Point A represents a first “improvement” of the “Classical” DiD with further probabilistic insights (approximately in 1980s). Point B shows a further development of probabilistic approach (2000-2010), aimed at assessing uncertainty on the estimations, recognizing the existence of k-unks and unk-unks. Assuming that the increasing contribution of probabilistic insights will allow reducing the influence of the k_unks uncertainties, the asymptotic limit beyond which the deterministic approach “only” covers the residual unk_unks uncertainties (e.g. the awareness of possible lack of exhaustiveness) is identified as “Evolutionary” DiD. The lower-right corner of the picture repre- sents the risk-based approach (100% probabilistic, 0% deterministic), and cannot be reached in any way.
It is apparent that the two points of view―deterministic and probabilistic―are complementary and not alternative.
The role of probabilistic studies in Risk informed DiD is twofold: on one hand there is the possibility to take into account the reliability of the safety architecture’s components; on the other hand, there is the use of a probabilistic approach to better manage the uncertainties. Starting from the frequency of occurrence of initiating events, the taking into account of the component reliability allows a better assessment of the probability associated with the sequences that, in turn, ensures proportionate approach to the associated risk’s treatment. With regard to uncertainties, probability distributions are used to characterize them on each input variable; sampling techniques are used to propagate these uncertainties. The estimation of the uncertainties provides information to rank components according to the model output sensitivity and then to optimize the safety performances, avoiding excesses in the sizing of the safety provisions. Looking for a “risk informed” approach, the concept of risk21 can be used to make the link between deterministic and probabilistic analyses. Several elements contribute to the integration of the deterministic approach with the notion of risk [
Secondly, for a given plant condition there is the need to:
- Define the safety objectives, i.e. to establish quantitative criteria concerning risk acceptability (achieved positioning the Farmer curve within the risk space).
- Quantify the requested efficiency of the different DiD levels versus the potential risk generated by the plant condition. It has to be stressed that this step is directly related to the rules for the component classifications.
- Define and assess how much DiD is enough.
- Deal with uncertainties.
- The correct implementation of these elements can also help guaranteeing two complementary criteria:
The exhaustiveness of the analysis, which mainly deals with the need to correctly address the rare sequences events identification;
- The balance between the level of risk and the efforts deployed to guarantee the requested safety through a cost benefit analysis23.
Coherently with ISAM methodology, the requirements singularly applicable to each provision and collectively to the entire LOP, can be deduced with the use of the Farmer Curve (
21cf. Foot note N˚2.
22The set include both the DBA (i.e. the anticipated operational occurrences (AOO), the incidents and accidents), as well as the hypothetical Design Extension Conditions (DEC).
23The implementation of the ALARA principle remains mandatory.
24E.g. the place for the 1st level of the DiD which differs from the proposal made by WENRA and NRC and that should be discussed.
As qualitatively indicated in
Within the previous sections the evolution of the DiD and the shifting from a deterministic toward a risk informed approach, are discussed for different fields. For all these
fields, a common goal is to achieve a robust design with respect to possible threats and hazards, coupled with a robust safety demonstration. As already discussed, DiD and PSA are essential elements of this effort; below are summarized indications and guidelines to improve their contribution and to identify the needed research and development effort.
In terms of DiD, the guidelines that can be adopted for a robust design approach, address the elements that contribute significantly to the strength of the safety architecture, i.e.: the consideration, as comprehensive as practicable, of accidental situations; the routine coverage of physical phenomena that may occur; the demonstration of the envelope character of situations selected for the design; the control of uncertainties; the research of potential threshold effects and identification of margins versus these thresholds. On the other side, to ensure the robustness of the demonstration, the designer must be able to show that the specific risks of the technology are controlled by an adequate level of knowledge, be able to identify and justify the positioning of the provisions implemented for each level of the DiD, to justify their performance and reliability, and ensure that the principles of independence, progressiveness, and balance between the different levels are met. In particular the level of coverage and the quality of modeling for the degraded situations, participate to the robustness of the demonstration. In the above context, the use of PSA allows modeling and allocating a probability to all plausible sequences to which the facility could face. The completion of these studies allows to check the list of initiators and their categorization, to broaden the base of deterministic design for the implemented provisions, to verify the progressive and balanced design of the safety of the facility, to review the list of complex operation conditions, to bring a judgment on the probabilistic evaluation of hazards, to quantify where appropriate the probability for consequences, to justify the program of preventive maintenance and finally, to assess the overall system safety level. That said, the PSA, like any modeling, involve uncertainties, particularly on degraded operating modes, and the estimated reliability rates that are integrated into calculations. This leads to temper the decisions taken on the basis of their results.
In the specific case of new facilities, probabilistic studies will be conducted and enriched by successive stages, as the development of these facilities. In the course of this development process, “on-line” PSA bring in an aid in the design of safety provisions (comparison of technical solutions, impacts of redundancy, diversification and separation), in the evaluation of the gain provided by specific provisions (e.g. for the prevention of severe accidents), for the demonstration that sequences that may lead to intolerable consequences are “practically eliminated”, and finally for the comparison of the level of safety compared to that of operating facilities or other facilities under development. These studies must be improved as the data acquisition progresses in the following areas: the list of plausible initiating events; the uncertainty about the reliability data on the common cause failures, the human reliability and the contribution of support systems; the list of internal and external hazards that must be considered with the development of appropriate methods.
In support of the issues mentioned above, methods and tools to be developed or under development include:
- Method of identification and classification of the operating conditions,
- Method of identifying and analyzing threats and hazards and their consequences,
- Method for the description of the safety architecture to address all the components of the safety architecture,
- Method of identification and classification of lines of protection,
- Method to quantify the provisions reliability, incorporating the management of attached uncertainties,
- Methods of analysis and quantification of the human factor and hardware and software reliability,
- Methods of assessing radiological consequences (for nuclear installations).
Concerning the current practices for the DiD implementation and the rationale for its evolution, there is a shared recognition that the reinforcement of DiD is the key to improve the safety of future installations for all types of technologies and industries. Specific R&D needs are identified. They essentially address methods to represent and assess the actual practical DiD implementation, contributing to the requested reinforcement. Within this context, the PSA results play a key role in supporting both the robustness of the design and of the safety through a thorough support for the verification that the DiD principles, such as the efficiency, independence, the progressiveness of the different DiD levels, are correctly implemented and that the balance of the installation’s safety is adequate. Nevertheless, one should point out that, if the principles for the interpretation of the role of DiD and PSA are well defined, discrepancies exist concerning the details for their practical implementation. A key open issue is the link that must be put in place to provide the DiD probabilistic success criteria through PSA insights. Practical proposals come, for example, from the GIF safety activities; starting from insights collected within some IAEA standards and WENRA or NRC documents, they are founded on the use of the risk space as integrator between DiD and PSA. Nevertheless, while widely discussed and accepted, they have not yet been formally agreed by the different communities.
Chierici, L., Fiorini, G.L., La Rovere, S. and Vestrucci, P. (2016) The Evolution of Defense in Depth Approach: A Cross Sectorial Analysis. Open Journal of Safety Science and Technology, 6, 35-54. http://dx.doi.org/10.4236/ojsst.2016.62004