DoD Nuclear Weapon System Safety Concepts

Posted by Ronald Gault, March 3, 2015

The DoD nuclear safety programs extend from the initiation of a nuclear weapon’s development cycle through the demilitarization and retirement of that nuclear weapon system. Documented nuclear safety design features are incorporated into the weapon system design and a nuclear certification process is employed to evaluate the overall satisfactory implementation of these requirements, and ensure they are met throughout the weapon system’s life cycle.  Nuclear safety design certification is granted based on the acceptance of the design/test data by a Nuclear Weapon System Safety Group and the Secretary of Defense’s office after their study efforts.

1.0  Nuclear Safety Philosophy

DoD documentation states, “due to their awesome destructive capability, nuclear weapons must be designed, developed, produced, fielded, and logistically supported with consistent, stringent safety provided”.  Obviously, there are cost and operational factors involved which must be considered.  The designer must strive for the objective of maximizing nuclear safety consistent with operational and cost constraints, ensuring that cost and reasonableness are considered as factors in the implementation of safety.  It is the responsibility of the DOE and DoD project managers to ensure that the acquisition programs they conduct meet requirements for nuclear safety.

Although a somewhat philosophical assumption, it is generally accepted within the nuclear weapon safety community that no individual nuclear safety subsystem can contribute more than a one in a million (10-6) reduction in the probability of an event that impacts nuclear safety, especially when the entire lifetime of a weapon is considered.  The “limit” of 10-6 per subsystem is founded on the concern that to statistically demonstrated a 10-6 level via testing in all possible normal and abnormal environments and attacks, is economically unfeasible.  Hence a combination of analyses (mostly) and testing (limited but perhaps necessary to validate key elements of the analyses) must be provided to reasonably demonstrate a 10-6 contribution, even though the analysis and testing might not, in the purest sense, be able to satisfy a strict proof of the 10-6 allocation.  The use of features that can be considered to be inherently safe (i.e., requiring no proof, self-evident due to natural law and science) may greatly reduce the burden of analytical/testing support.  Continuing this philosophy, a minimum of 2 safety contributing subsystems would be required to reach a 10-6 probability level and a minimum of 3 subsystems would be required for the 10-9 level.  Therefore, the prevalent opinion in designing reliable nuclear safety into a nuclear weapon system is to incorporate several layers of safety (i.e., a distributive approach) to achieve the required quantitative nuclear safety levels.  The concept is to collectively use multiple nuclear safety subsystems/components/features to provide the required safety standard for both the normal, day to day environments, as well as when the weapon system is exposed to a specific set of abnormal (accident) environments or subversive attack, which might cause one subsystem/component/feature to fail.

The task for the weapon system designers is to develop a nuclear weapon safety theme (an inter-crafted hardware and software approach, tailored to the specific operational sequence of the proposed weapon system) based on this philosophy, that can be demonstrated via analyses and test to comply with quantitative nuclear safety standards.  Another general assumption within the nuclear weapon safety community is that purely electronic safety feature (i.e., semiconductor, microprocessor, integrated chips, etc., circuits) can only be deemed to contribute to safety in normal environments, such as a wiretapping attack.  The proof of demonstrating such electronic subsystems performance during abnormal environment is considered impractical and prohibitive to the stringent levels required of nuclear safety.

2.0    Nuclear Safety Requirements

The basic nuclear safety goals are outlined in four safety standards within DoD Directive 3150.02 and its complementary manual DoD 3150.02M.  These standards must be complied with in any nuclear weapon system’s approach to safety, and are as follows:

  1. Prevent nuclear weapons involved in accidents or incidents or jettisoned weapons from producing a nuclear yield.

  2. Prevent DELIBERATE prearming, arming, launching, firing, or releasing of nuclear weapons except upon execution of emergency war orders or when directed by competent authority.

  3. Prevent INADVERTENT prearming, arming, launching firing, or releasing of nuclear weapons.

  4. Ensure adequate security of nuclear weapons pursuant to the provisions of DoD Directive 5210.41.

Further, a fifth concern, although not formally documented, is the prevention of any credible accident from causing the dispersal of plutonium or special nuclear material (SNM). DoD Directive 5210.41 and its complementary manual DoD 5210.41M outline requirements for the security of nuclear weapons in all possible configurations.

Modern nuclear safety criteria have established that for nuclear weapons, in a normal operational environment, the probability of an undesired nuclear event (a nuclear yield greater than 4 pounds TNT equivalent) must be less than 10-9 over the lifetime of a nuclear weapon system.  Additionally, in the abnormal environments that a weapon maybe subjected to (such as lightning, fire, immersion in ocean depths, etc.), the probability of an undesired nuclear event must be less than 10-6 per occurrence of such an abnormal environment.  DoD Directive 5200.16 provides guidelines for the command and control (C2) system of a nuclear weapon, which have similar requirements for protection against an outsider attack (10-9) and an insider attack 10-6).  More specifically stated, the nuclear yield resulting from faults and failures in the nuclear weapon system shall have a probability of:

  1. Less than 1 x 10-9 per weapon per stockpile lifetime for normal environments in the absence of warhead unique prearming, environment or trajectory stimuli

  2. Less than 1 x 10-6 per weapon per exposure to abnormal environments and in the absence of unique prearming or environmental stimuli.

  3. Less than 1 x 10-4 per event where an event is the application of the prearm command deliberate deployment (launch or release) of the weapon, but in the absence of the arming signal.

    In the event of a crisis in which a national defense alert has occurred and nuclear weapon systems are ordered to be released, a progressive reduction of the nuclear safety quantitative requirements is allowed.  The designer should strive to delay this reduction to as late in the release process as possible (i.e., as close to the target as possible), to minimize the time the weapon exists in this less safety mode and to minimize the subversive threat where spoofing is used to generate a crisis situation.