Defense-in-depth is a fundamental principle/strategy for achieving system safety. First conceptualized within the nuclear industry, defense-in-depth is the basis for risk-informed decisions by the U.S. Nuclear Regulatory Commission, and is recognized under various names in other industries (e.g., layers of protection in the Chemical industry). Accidents typically result from the absence or breach of defenses or violation of safety constraints. Defense-in-depth is realized by a diversity of safety barriers and a network of redundancies. However, this same redundancy and the intrinsic nature of defense-in-depth - the multiple lines of defense or "protective layers" along a potential accident sequence - may enhance mechanisms concealing the occurrence of incidents, or that the system has transitioned to a hazardous state (accident pathogens) and that an accident is closer to being released. Consequently, the ability to safely operate the system may be hampered and the efficiency of defense-in-depth may be degraded or worse may backfire. Several accidents reports identified hidden failures or degraded observability of accidents pathogens as major contributing factors.
In this work, we begin to address this potential theoretical deficiency in defense-in-depth by bringing concepts from Control Theory and Discrete Event Systems to bear on issues of system safety and accident prevention. We introduce the concepts of controllability, observability, and diagnosability, and frame the current understanding of system safety as a "control problem" handled by defense-in-depth and safety barriers (or safety constraints). Observability and diagnosability are information-theoretic concepts, and they provide important complements to the energy model of accident causation from which the defense-in-depth principle derives. We formulate a new safety-diagnosability principle for supporting accident prevention, and propose that defense-in-depth be augmented with this principle, without which defense-in-depth can degenerate into a defense-blind safety strategy. Finally, we provide a detailed discussion and illustrative modeling of the sequence of events that lead to the BP Texas City Refinery accident in 2005 and emphasize how a safety-diagnosable architecture of the refinery could have supported the prevention of this accident or mitigated its consequences. We hope the theoretical concepts here introduced and the safety-diagnosability principle become useful additions to the intellectual toolkit of risk analysts and safety professionals and stimulate further interaction/collaboration between the control and safety communities.

• 出版日期2011-1