Back in the day, the only thing worse than an atomic bomb going off on purpose was one going off accidentally
hi There! (Image source: Film still)
Leaving aside the monumental nature of such a disaster, there was also the possibility of it occurring at absolutely the wrong time and triggering the nuclear apocalypse.
Yes Virginia, in those days we worried about apocalypses other than climate change..
At the time everyone realised that the risk of inadvertently starting World War III had to be minimised and if possible eliminated, so, the good folks at Los Alamos and Sandia National Labs sat down and started to work seriously on how to prevent nuclear weapons from going off, by accident that is.
The very good news is that efforts have been successful, to date in preventing a high order nuclear detonation. The even better news is that the principles they developed can be applied to any high consequence application.
It is the stated position of the U.S. Air Force that their safeguards would prevent the occurrence of such events as are depicted in this film…
Film Title Card: Dr Strangelove
But, due to their natural shyness no doubt, you don’t normally find them talking too much about their achievements 
(1).
The three Is
The fundamental principles to preventing accidental detonation of a weapon are what the nuclear safety community call the three I’s or Isolation, Incompatibility and Inoperability.
Nuclear weapon safety architecture
Isolation. To prevent any old input triggering the weapon the critical parts (known as the physics package) are isolated behind an energy barrier, designed safety devices then provide a controlled port through the energy barrier allowing triggering of the weapon.
Palomeras accident: Recovered intact H-Bomb
Incompatibility. We also really don’t want something like a lightning strike on a signal line to initiate our weapon. So to ensure only a deliberate action will initiate a detonation weapons includes ‘locks’ which open only upon receipt of a unique signal (2).
Mechanical devices are used to provide this lock (yes Virginia some folk really don’t trust software) that can withstand assaults from the environment and remains functional until specified harm levels are exceeded.
Inoperability. OK, so say our nuke is sitting in the burning wreck of a B-52 at the end of the runway, naturally we’d like it not to cook off.
To prevent this cooking off we build weak links into the system that ensure that the system will fail predictably under specific circumstances (like fires). For example using capacitors in the firing circuit that will fail predictably in a high temperature environment. The capacitors will fail and open circuit the firing circuit well before the isolators fail and allow energy to pass down the circuit.
Applying first principles
As you might have gathered from the inoperability criteria nuclear weapons safety requires is under pinned by a first (physical) principles approach to safety. An example of this physics based principle would be the permanent decomposition of an explosive charge when exposed to high temperature, or similarly the decomposition of the mylar in a capacitor in a high temperature event
The Golsboro 196 accident: Recovered Mk 39 Weapon
We can say about fundamental properties that they must occur, i.e the probability of occurence given the defined trigger is always unity. Basing safety features upon these in turn gives us strongly predictable, read deterministic, behaviour.
Minimising safety critical components
We also functionally separate mission management from weapons functionality to ensure the inventory of safety critical parts are as small as possible. This has several advantages, firstly we achieve a ‘separation of concerns’ and secondly the span and complexity of management and analysis is reduced. Of course working on the ‘if it can go wrong it will’ principle, the less components there are then the less potential risk there is.
Safety themes and safety cases
Decades before the concept of safety cases emerged in the process and oil industries, see for example Cullen (1990) the nuclear weapons safety community had developed the concept of a safety case.
Of course they called it a safety theme, but fundamentally as safety theme is equivalent to the now common safety case. Both then and now the elements of a safety theme include; how the 3 I requirements were addressed by the implementation, the application of first principles to safety and the how the number of safety critical components have been minimised.
A safety theme describes in a unified fashion the principles that will be used to assure safety under all expected environments. A safety theme assists in directing effort to meet the major safety requirements and provides a framework in which to communicate the implementations to key stakeholders
Antonio et al in Isbell 1997
So a safety theme is actually a close analog to the current concept of developing standard safety case patterns in order to abstract away fundamental safety strategies out of the details of specific projects (McDermid, Kelly 1997).
Because other constraints and system objectives exist there are naturally trade-offs and compromises that need to be made during a weapons development. In response a series of iterative and progressive safety evaluations are required by the nuclear safety community to surface and evaluate any potential deviations from the safety theme.
Again it turns out that this iterative evaluation process is mirrored in the practice of developing safety cases in an iterative fashion, from a preliminary version through to a final operational version (Chinneck et al. 2004).
Ad hoc versus predictable safety
So tell me, if you place your critical control circuit board in a fire how is it going to behave? Can you guarantee that it will not generate a potentially hazardous output? If so, how many assumptions did you have to make?
The reality is in those sort of circumstances one can’t predict with any certainty how an ‘ad hoc’ (3) designed electronic circuit is going to behave.
The nuclear safety community identified this ‘ad hoc’ problem during the 1960′s, and therefore the requirement to design in predictable ‘upon failure’ behaviour into your system. This of course was years before a similar ‘fail-stop’ concept emerged in the fault tolerant design community.
Conclusions
A really simple lesson emerges, no matter how smart you are or where you work it’s always worthwhile looking around to see whether someone else has been there before you.
Notes
1. With the exception of Nancy Leveson in her excellent and comprehensive text on system safety, Safeware.
2. That is signals that are logically separated from both each other and naturally occurring signals, normally via signal complexity, to reduce the likelihood of spoofing. Fundamentally here we’re assuming that any transmission outside the safety barrier is inherently compromised.
3. Ad hoc in the sense that it has been designed to perform it’s required functions in an implicitly assumed nominal environment, so it’s behaviour in an abnormal environment will be ‘ad hoc’
References
Chinneck, P., Pumfrey, D. and McDermid, J., The HEAT/ACT Preliminary Safety Case: A case study in the use of Goal Structuring Notation., Proc. 9th Australian Workshop on Safety-Related Programmable Systems (SCS 2004), Brisbane, Australia. CRPIT, 47. Cant, T., Ed. ACS. 33-41, 2004.
Cullen, W.D., The Public Enquiry Into the Piper Alpha Disaster, Dept of Energy, London, HMSO November 1990.
Isbell, D., (Ed.), High Consequence Operations, July 21-23 1997, Sandia Nationa Laboratories, Albuquerque, New Mexico, 1997.
McDermid, J., Kelly, T.P., Safety Case Construction and Reuse using Patterns, Conf. proc. SAFECOMP 97, pp 55-69, 1997.
Plummer, D.W, Greenwood, W.H., The History of US Nuclear Weapons Safety Devices, Sandia National Laboratories, AIAA Report 98-34-64, 1998.
Spray, S.D., Principle Based Passive Safety In Nuclear Weapon Systems, High Consequence Operations Safety Symposium, Sandia National Laboratories, Albuquerque, 13 July 1994.
