Defense in Depth (DiD) is a key design principle helping to improve the safety of complex systems in domains like nuclear power, oil and gas, and mining. DiD affects the basic design of the system because it contains requirements for isolation, diversity and safety divisions. If the DiD assessment happens late in the design process, there is a risk of costly redesign and project delays. To avoid this issue, this paper refines a set of early DiD assessment design rules and proposes a model-driven methodology for early assessment of the implementation of the DiD capabilities of a complex system design. The topology of the different design aspects of the system under study (mechanical, electrical, human factors, and others) and the dependencies between system elements are captured in a High Level Interdisciplinary Model (HLIM) that also holds DiD specific attributes. The resulting system model is assessed against the proposed set of DiD rules and requirements, and then it can be improved according to the results. The methodology is applied to a case study of an early nuclear power plant model of a spent fuel pool cooling system. The proof-of-concept software tool developed for early DiD assessment and presented in this paper is able to identify undesired dependencies between system elements of redundant systems, of different defense lines and other DiD related weaknesses. This provides practitioners with insights into potential vulnerabilities in the design and enables focused redesign to address the identified problems early in the design process.

You do not currently have access to this content.