The defence in depth principle
A layered approach to safety barriers
Defence in depth is a safety philosophy involving the use of successive compensatory measures (often called barriers, or layers of protection, or lines of defence) to prevent accidents or reduce the damage if a malfunction or accident occurs on a hazardous facility. Barriers should, as far as possible, be independent, meaning that the failure of one barrier does not affect the effectiveness of other barriers. The philosophy ensures that safety is not wholly dependent on any single element of the design, construction, maintenance or operation of the facility.
The concept is ancient, dating back to the design of military forts which used multiple layers of defence including moats, outer walls, inner walls and towersIt’s also related to the ancient idiom “Don’t put all your eggs in the same basket”, as attributed to a wise man in the novel Don Quixote.
. Applied to safety, it has been the most strongly codified in the nuclear power sector, where it is described in the INSAG 10 reference document [INSAG 1996]. The philosophy is applied in many other industrial sectors. It is also used in the security and cybersecurity communities.For cybersecurity, see in particular IEC 62443-1-1 Industrial communication networks – network and system security, chapter 5.4.
The objectives are as follows:
compensate for potential human and component failures
maintain the effectiveness of the barriers by averting damage to the plant and to the barriers themselves
protect the public and the environmental from harm in the event that these barriers are not fully effective.
The initial, basic interpretation of the defence in depth principle, considered the independent physical layers surrounding the hazard source (concerning a nuclear reactor for example, a first level is the cladding that encases the fuel, a second level is the reactor vessel, and a third level is provided by the containment building). Progressively, safety specialists began to adopt a more theoretical interpretation of layers, including the influence of non-physical layers of defence such as emergency response and human and organizational factors of safety.
The IAEA formulation of the defence in depth principle specifies five levels of defence:
- Prevent deviations from normal operation
- Detect and control deviations
- Incorporate safety features, safety systems and procedures to prevent core damage
- Mitigate the consequences of accidents
- Mitigate radiological consequences
It is important for the implementation of defence in depth to be periodically verified and tested, to ensure that changes made to the system have not weakened its effectiveness [IAEA 2005].
The defence in depth principle underlies many widely-used risk analysis methods, such as the Layer of Protection Analysis (LOPA) method [CCPS 2001].
Critiques of the principle
One possible negative affect of this design principle was identified by Jens Rasmussen, who pointed out that unless the effectiveness of barriers was regularly monitored, people working within the system would develop compensatory measures that reduced the level of safety intended by system designers.
One basic problem is that in such a system having functionally redundant protective defenses, a local violation of one of the defenses has no immediate, visible effect and then may not be observed in action. In this situation, the boundary of safe behaviour of one particular actor depends on the possible violation of defenses by other actors. [Rasmussen 1997]
Defence in depth limits access to information that is essential for adaptation. The notion of practical drift is important in understanding how the safety of systems designed using the defence-in-depth principle can erode over time.
Another criticism is that by increasing the number of barriers, the total complexity of the system increases, which in itself increases the level of risk. This is particularly true if the barriers are not fully independent. It’s important to note that full independence is hard to achieve, since barriers often depend on some common underlying infrastructure, such as the electricity supply, water supply, cooling system, ventilation, or more subtle features such as a clock signal in the case of electronic equipment, and they are typically managed and maintained by the same people. These common dependencies can lead to a common mode failure, which defeats multiple layers of defence.
The Fukushima Daiichi nuclear accident illustrates a poor implementation of the defence in depth concept [NEA 2016]. Indeed, the earthquake and subsequent tsunami caused all the 6 power lines connecting the facility to the electric grid to fail, and also destroyed all but one of the on-site emergency power supplies.
Photo credits: Bodiam castle by Matthew Millen, CC BY-NC-ND licence.
IAEA. 2005. “Assessment of defence in depth for nuclear power plants.” Safety Reports Series 46. IAEA, . https://www.iaea.org/publications/7099/assessment-of-defence-in-depth-for-nuclear-power-plants.
INSAG. 1996. “Defence in depth in nuclear safety — INSAG 10.” Vienna. International Nuclear Safety Group, AIEA, . http://www-pub.iaea.org/MTCD/publications/PDF/Pub1013e_web.pdf.