Augmenting defense-in-depth with the concepts of observability and diagnosability from Control Theory and Discrete Event Systems

Defense-in-depth is a fundamental principle/strategy for achieving system safety. First conceptualized within the nuclear industry, defense-in-depth is the basis for risk-informed decisions by the U.S. Nuclear Regulatory Commission, and is recognized under various names in other industries (e.g., layers of protection in the Chemical industry). Accidents typically result from the absence or breach of defenses or violation of safety constraints. Defense-in-depth is realized by a diversity of safety barriers and a network of redundancies. However, this same redundancy and the intrinsic nature of defense-in-depth – the multiple lines of defense or “protective layers” along a potential accident sequence – may enhance mechanisms concealing the occurrence of incidents, or that the system has transitioned to a hazardous state (accident pathogens) and that an accident is closer to being released. Consequently, the ability to safely operate the system may be hampered and the efficiency of defense-in-depth may be degraded or worse may backfire. Several accidents reports identified hidden failures or degraded observability of accidents pathogens as major contributing factors.