Defence in depth (non-military)

Last updated

A defence in depth uses multi-layered protections, similar to redundant protections, to create a reliable system despite any one layer's unreliability.

Contents

Examples

The term defence in depth is now used in many non-military contexts.

Fire prevention

A defence in depth strategy to fire prevention does not focus all the resources only on the prevention of a fire; instead, it also requires the deployment of fire alarms, extinguishers, evacuation plans, mobile rescue and fire-fighting equipment and even nationwide plans for deploying massive resources to a major blaze.[ citation needed ]

Defense-in-depth is incorporated into fire protection regulations for nuclear power plants. It requires preventing fires, detecting and extinguishing fires that do occur, and ensuring the capability to safely shutdown. [1]

Engineering

Defence in depth may mean engineering which emphasizes redundancy – a system that keeps working when a component fails – over attempts to design components that will not fail in the first place. For example, an aircraft with four engines will be less likely to suffer total engine failure than a single-engined aircraft no matter how much effort goes into making the single engine reliable. Charles Perrow, author of Normal accidents , wrote that sometimes redundancies backfire and produce less, not more reliability. This may happen in three ways: First, redundant safety devices result in a more complex system, more prone to errors and accidents. Second, redundancy may lead to shirking of responsibility among workers. Third, redundancy may lead to increased production pressures, resulting in a system that operates at higher speeds, but less safely. [2]

Nuclear

In nuclear engineering and nuclear safety, all safety activities, whether organizational, behavioural or equipment related, are subject to layers of overlapping provisions, so that if a failure should occur it would be compensated for or corrected without causing harm to individuals or the public at large. Defence in depth consists in a hierarchical deployment of different levels of equipment and procedures in order to maintain the effectiveness of physical barriers placed between radioactive materials and workers, the public or the environment, in normal operation, anticipated operational occurrences and, for some barriers, in accidents at the plant. Defence in depth is implemented through design and operation to provide a graded protection against a wide variety of transients, incidents and accidents, including equipment failures and human errors within the plant and events initiated outside the plan. [3]

Existential risk mitigation

Defense in depth is a useful framework for categorizing existential risk mitigation measures into three layers of defense: [4]

  1. Prevention: Reducing the probability of a catastrophe occurring in the first place. Example: Measures to prevent outbreaks of new highly-infectious diseases.
  2. Response: Preventing the scaling of a catastrophe to the global level. Example: Measures to prevent escalation of a small-scale nuclear exchange into an all-out nuclear war.
  3. Resilience: Increasing humanity's resilience (against extinction) when faced with global catastrophes. Example: Measures to increase food security during a nuclear winter.

Human extinction is most likely when all three defenses are weak, that is, "by risks we are unlikely to prevent, unlikely to successfully respond to, and unlikely to be resilient against". [4]

Information security

Likewise, in information security / Information Assurance defence in depth represents the use of multiple computer security techniques to help mitigate the risk of one component of the defence being compromised or circumvented. An example could be anti-virus software installed on individual workstations when there is already virus protection on the firewalls and servers within the same environment. Different security products from multiple vendors may be deployed to defend different potential vectors within the network, helping prevent a shortfall in any one defence leading to a wider failure; also known as a "layered approach".[ citation needed ]

See also

Related Research Articles

<span class="mw-page-title-main">Civil defense</span> Protection of citizens from natural disaster and military attack

Civil defense or civil protection is an effort to protect the citizens of a state from human-made and natural disasters. It uses the principles of emergency operations: prevention, mitigation, preparation, response, or emergency evacuation and recovery. Programs of this sort were initially discussed at least as early as the 1920s and were implemented in some countries during the 1930s as the threat of war and aerial bombardment grew. Civil-defense structures became widespread after authorities recognised the threats posed by nuclear weapons.

<span class="mw-page-title-main">Safety engineering</span> Engineering discipline which assures that engineered systems provide acceptable levels of safety

Safety engineering is an engineering discipline which assures that engineered systems provide acceptable levels of safety. It is strongly related to industrial engineering/systems engineering, and the subset system safety engineering. Safety engineering assures that a life-critical system behaves as needed, even when components fail.

In engineering, a fail-safe is a design feature or practice that, in the event of a specific type of failure, inherently responds in a way that will cause minimal or no harm to other equipment, to the environment or to people. Unlike inherent safety to a particular hazard, a system being "fail-safe" does not mean that failure is impossible or improbable, but rather that the system's design prevents or mitigates unsafe consequences of the system's failure. That is, if and when a "fail-safe" system fails, it remains at least as safe as it was before the failure. Since many types of failure are possible, failure mode and effects analysis is used to examine failure situations and recommend safety design and procedures.

<span class="mw-page-title-main">Nuclear meltdown</span> Severe nuclear reactor accident that results in core damage from overheating

A nuclear meltdown is a severe nuclear reactor accident that results in core damage from overheating. The term nuclear meltdown is not officially defined by the International Atomic Energy Agency or by the United States Nuclear Regulatory Commission. It has been defined to mean the accidental melting of the core of a nuclear reactor, however, and is in common usage a reference to the core's either complete or partial collapse.

<span class="mw-page-title-main">Safety</span> State of being secure from harm, injury, danger, or other non-desirable outcomes

Safety is the state of being "safe", the condition of being protected from harm or other danger. Safety can also refer to the control of recognized hazards in order to achieve an acceptable level of risk.

<span class="mw-page-title-main">Safety-critical system</span> System whose failure would be serious

A safety-critical system (SCS) or life-critical system is a system whose failure or malfunction may result in one of the following outcomes:

<span class="mw-page-title-main">Emergency management</span> Dealing with all humanitarian aspects of emergencies

Emergency management or disaster management is the managerial function charged with creating the framework within which communities reduce vulnerability to hazards and cope with disasters. Emergency management, despite its name, does not actually focus on the management of emergencies, which can be understood as minor events with limited impacts and are managed through the day-to-day functions of a community. Instead, emergency management focuses on the management of disasters, which are events that produce more impacts than a community can handle on its own. The management of disasters tends to require some combination of activity from individuals and households, organizations, local, and/or higher levels of government. Although many different terminologies exist globally, the activities of emergency management can be generally categorized into preparedness, response, mitigation, and recovery, although other terms such as disaster risk reduction and prevention are also common. The outcome of emergency management is to prevent disasters and where this is not possible, to reduce their harmful impacts.

<span class="mw-page-title-main">Redundancy (engineering)</span> Duplication of critical components to increase reliability of a system

In engineering, redundancy is the intentional duplication of critical components or functions of a system with the goal of increasing reliability of the system, usually in the form of a backup or fail-safe, or to improve actual system performance, such as in the case of GNSS receivers, or multi-threaded computer processing.

Fault tolerance is the property that enables a system to continue operating properly in the event of the failure of one or more faults within some of its components. If its operating quality decreases at all, the decrease is proportional to the severity of the failure, as compared to a naively designed system, in which even a small failure can cause total breakdown. Fault tolerance is particularly sought after in high-availability, mission-critical, or even life-critical systems. The ability of maintaining functionality when portions of a system break down is referred to as graceful degradation.

A high reliability organization (HRO) is an organization that has succeeded in avoiding catastrophes in an environment where normal accidents can be expected due to risk factors and complexity.

The advanced heavy-water reactor (AHWR) or AHWR-300 is the latest Indian design for a next-generation nuclear reactor that burns thorium in its fuel core. It is slated to form the third stage in India's three-stage fuel-cycle plan. This phase of the fuel cycle plan was supposed to be built starting with a 300MWe prototype in 2016.

In functional safety a safety instrumented system (SIS) is an engineered set of hardware and software controls which provides a protection layer that shuts down a chemical, nuclear, electrical, or mechanical system, or part of it, if a hazardous condition is detected.

Overspeed is a condition in which an engine is allowed or forced to turn beyond its design limit. The consequences of running an engine too fast vary by engine type and model and depend upon several factors, the most important of which are the duration of the overspeed and the speed attained. With some engines, a momentary overspeed can result in greatly reduced engine life or catastrophic failure. The speed of an engine is typically measured in revolutions per minute (rpm).

<span class="mw-page-title-main">Swiss cheese model</span> Model used in risk analysis

The Swiss cheese model of accident causation is a model used in risk analysis and risk management, including aviation safety, engineering, healthcare, emergency service organizations, and as the principle behind layered security, as used in computer security and defense in depth. It likens human systems to multiple slices of Swiss cheese, which has randomly placed and sized holes in each slice, stacked side by side, in which the risk of a threat becoming a reality is mitigated by the differing layers and types of defenses which are "layered" behind each other. Therefore, in theory, lapses and weaknesses in one defense do not allow a risk to materialize, since other defenses also exist, to prevent a single point of failure. The model was originally formally propounded by James T. Reason of the University of Manchester, and has since gained widespread acceptance. It is sometimes called the "cumulative act effect".

<span class="mw-page-title-main">Global catastrophic risk</span> Potentially harmful worldwide events

A global catastrophic risk or a doomsday scenario is a hypothetical future event that could damage human well-being on a global scale, even endangering or destroying modern civilization. An event that could cause human extinction or permanently and drastically curtail humanity's potential is known as an "existential risk."

<span class="mw-page-title-main">Lancaster House Treaties</span>

The Lancaster House Treaties of 2010 are two treaties between the United Kingdom and France for defence and security cooperation. They were signed at 10 Downing Street on 2 November 2010 by British prime minister David Cameron and French President Nicolas Sarkozy.

Defence in depth is a military strategy that seeks to delay rather than prevent the advance of an attacker, buying time and causing additional casualties by yielding space. Rather than defeating an attacker with a single, strong defensive line, defence in depth relies on the tendency of an attack to lose momentum over time or as it covers a larger area. A defender can thus yield lightly defended territory in an effort to stress an attacker's logistics or spread out a numerically superior attacking force. Once an attacker has lost momentum or is forced to spread out to pacify a large area, defensive counter-attacks can be mounted on the attacker's weak points, with the goal being to cause attrition or drive the attacker back to its original starting position.

Many countries around the world have civil defense organizations dedicated to protecting civilians from military attacks and providing rescue services after widespread disasters. In most countries, civil defense is a government-managed and often volunteer-staffed organization.

U.S. non-military nuclear material is regulated by the U.S. Nuclear Regulatory Commission, which uses the concept of defense in depth when protecting the health and safety of the public from the hazards associated with nuclear materials. The NRC defines defense in depth as creating multiple independent and redundant layers of protection and response to failures, accidents, or fires in power plants. For example, defense in depth means that if one fire suppression system fails, there will be another to back it up. The idea is that no single layer, no matter how robust, is exclusively relied upon; access controls, physical barriers, redundant and diverse key safety functions, and emergency response measures are used. Defense in depth is designed to compensate for potential human and mechanical failures, which are assumed to be unavoidable.

<span class="mw-page-title-main">Domino effect accident</span> Accident that causes one or more consequential accidents

A domino effect accident is an accident in which a primary undesired event sequentially or simultaneously triggers one or more secondary undesired events in nearby equipment or facilities, leading to secondary accidents more severe than the primary event. Thus, a domino effect accident is actually a chain of multiple events, which can be likened to a falling row of dominoes. The term knock-on accident is also used.

References

  1. NRC: 10 CFR Appendix R to Part 50—Fire Protection Program for Nuclear Power Facilities Operating Prior to January 1, 1979
  2. Scott D. Sagan (March 2004). "Learning from Normal Accidents" (PDF). Organization & Environment. Archived from the original (PDF) on 2004-07-14.
  3. International Nuclear Energy Agency (1996). Defence in depth in nuclear safety (INSAG-10) (PDF). ISBN   92-0-103295-1.
  4. 1 2 Cotton-Barratt, Owen; Daniel, Max; Sandberg, Anders (2020). "Defence in Depth Against Human Extinction: Prevention, Response, Resilience, and Why They All Matter". Global Policy. 11 (3): 271–282. doi:10.1111/1758-5899.12786. ISSN   1758-5899. PMC   7228299 . PMID   32427180.