A primary responsibility of the Department of Defense and Department of Energy stockpile mission is to ensure U.S. nuclear weapons are safe, secure, and under positive control, a concept commonly referred to as “surety.”1 Safe, secure, and under positive control applies across the stockpile, to individual weapons, throughout the U.S. nuclear weapons life cycle. Simply stated, a nuclear weapon must always detonate on an intended target when authorized by the President, and never detonate in any other environment or for any other reason.2 The consideration of safety, security, and control begins with the earliest design phase—through sustainment and deployment—to employment or retirement.
This consideration is applied to weapons, material, components, information, personnel, and all activities associated with U.S. nuclear weapons.
Nuclear surety is a shared responsibility between DoD and DOE/NNSA. A 1983 MOU, signed by the Secretaries of Defense and Energy, reaffirmed the obligation of DoD and DOE to protect public health and safety, and provided the basic premise for dual-agency judgment and responsibility for safety, security, and control of nuclear weapons. In 2011, the Deputy Secretaries of Defense and Energy signed a DoD-DOE Nuclear Physical Security Collaboration Memorandum, which further solidified the DoD-DOE commitment to develop common standards for the physical security of nuclear weapons and special nuclear material (SNM).
Because a nuclear weapon is in DoD custody for the majority of its lifetime, DoD is responsible for a wide range of operational requirements. NNSA is responsible for the design, production, assembly, surety technology, disassembly, and dismantlement of U.S. nuclear weapons. NNSA is also responsible for the transportation of weapons to and from the military destination. Overlaps in responsibility exist between DoD and NNSA, thus requiring considerable coordination between the two regarding surety issues.
For example, DoD and NNSA share responsibility for the interface between the weapon and the delivery system and for accident prevention and response.
The objective of the DoD Nuclear Weapons Surety Program and the DOE Nuclear Explosive and Weapon Surety Program is to ensure adequate safety and security of nuclear weapons and to prevent the inadvertent or unauthorized use of U.S. nuclear weapons. DoD surety standards are promulgated under DoD Directive (DoDD) 3150.02, DoD Nuclear Weapons Surety Program. DOE continues to revise its standards to emphasize its responsibilities for nuclear explosive operations with DOE Order (DOE O) 452.1E, Nuclear Explosive and Weapon Surety Program. Although the operating environments differ significantly, DoD and DOE standards share many similarities. Figure 8.1 lists DoD nuclear weapon surety standards and DOE nuclear explosive surety standards.
Nuclear weapons require special safety consideration due to their unique destructive power and the catastrophic consequences of an accident or unauthorized act. Nuclear weapons system safety refers to the collection of positive measures designed to minimize the possibility of a nuclear detonation resulting from accidents, unauthorized actions, errors, or acts of nature. For safety purposes, a nuclear detonation is defined as an instantaneous release of energy from nuclear events (i.e., fission or fusion) exceeding the energy released from an explosion of four pounds of TNT. Nuclear safety also encompasses design features and actions to reduce the potential for dispersal of radioactive materials in the event of an accident. Nuclear weapons system safety integrates policy, organizational responsibilities, and the conduct of safety-related activities throughout the life cycle of a nuclear weapon system. For additional information on DoD policy, see DoDD 3150.02, DoD Nuclear Weapons Surety Program.
The nuclear weapon safety philosophy deviates from many other performance criteria, insofar as safety is not synonymous with reliability. Safety is concerned with how things fail, as opposed to focusing on what must work for reliability, and relies mostly on passive approaches rather than on active ones. Nuclear weapons safety requirements must be met in the event of an accident, with or without human intervention. For nuclear weapons, reliability is the probability that a weapon will perform in accordance with its design intent or military requirements, whereas safety focuses on preventing a nuclear detonation under all circumstances except when directed by the President. High reliability is required for expected operational, or normal, wartime employment environments. Safety is required for normal wartime employment environments, normal environments, and abnormal environments, such as a weapon involved in a vehicle or aircraft accident.
Normal environments are the expected logistical and operational environments, as defined in a weapon’s military characteristics and stockpile-to-target sequence (STS) documents, in which the weapon is expected to survive without degradation in operational reliability. Normal environments include a spectrum of conditions that the weapon could be subjected to in peacetime logistical situations and in wartime employment conditions up to the moment of detonation. For example, a normal environment may include conditions such as a temperature range of minus 180 to plus 155 degrees Fahrenheit, a force of 10G set-back upon missile launch, or shock from an impact of a container being dropped from a height of up to two inches.
Abnormal environments are the expected logistical and operational environments, as defined in a weapon’s military characteristics and STS documents, in which the weapon is not expected to retain full operational reliability. Abnormal environments include conditions not expected in normal logistical or operational situations, but could occur in credible accidental or unusual situations, including an aircraft or vehicle accident, lightning strike, shipboard fire, or a bullet, missile, or fragmentation strike.
The following are safety criteria design requirements for all U.S. nuclear weapons:
Modern nuclear weapons incorporate a number of safety design features. These features provide high assurance that an accident or other abnormal environment will not produce a nuclear detonation. These also minimize the probability that an accident or other abnormal environment will cause the scattering of radioactive material. Whether to include various safety features in the design of a particular warhead, is predicated on making trade-offs in performance parameters. Both must be part of the calculus. . Thus, not all warhead types incorporate every available safety feature. However, all U.S. warheads meet the specific safety criteria across the range of both normal and abnormal environments and are extremely safe.
Enhanced Nuclear Detonation SafetyNuclear detonation safety is intended to prevent nuclear detonation-from either accidental or inadvertent causes. For all current weapons in the U.S. stockpile, the firing system forms a key part of detonation safety implementation. The goal of nuclear safety design is to prevent inadvertent nuclear yield by isolating the components essential to weapon detonation from significant electrical energy.
This involves the enclosure of detonation-critical components in a barrier to prevent unintended energy sources from powering or operating the weapon’s functions. When a barrier is used, a gateway is required to allow the proper signals to reach the firing set. A gateway can also be used to prevent the firing set stimulus from reaching the detonators. These gateways are known as stronglinks. The enhanced nuclear detonation safety (ENDS) concept is focused on a special region of the weapon system containing safety-critical components designed to respond to abnormal environments in a predictably safe manner. This ensures nuclear safety is achieved in an abnormal environment despite the appearance of premature signals at the input of the special region. Figure 8.2 illustrates this modern nuclear safety architecture.
Stronglinks operate upon receipt of a unique signal (UQS) and open only upon receipt of a unique signal indicating proper human intent (UQS #1) or a specific weapon trajectory (UQS #2). Stronglinks are designed to withstand severe accident environments including physical shock, high temperatures, and high voltage. Before stronglink failure occurs, another component is designed to render the firing set safe: the weaklink. The weaklink is designed so that, in the event that a certain part of a warhead is ruptured, it will keep the weapon’s electrical system in safe mode, thereby preventing a nuclear detonation. Any force strong enough to pass the stronglink will rupture the weaklink, “freezing” the electrical system in a safe condition.
Modern safety requirements dictate that each firing set contains two independent stronglinks. The UQS for the intent stronglink cannot be stored in the weapon and must be entered by a human. The unique signal pattern for the trajectory stronglink is frequently stored in a trajectory-sensing subsystem. This subsystem is designed to sense when the warhead is progressing along its prescribed environmental path. If the warhead senses the expected sequence it will detonate as designed.
To ensure nuclear weapons only detonate as a result of authorized use (presidential direction), there are four principal safety themes for nuclear weapons: isolation, incompatibility, inoperability, and independence. The stronglink plays an important role in all four themes.
Isolation. The critical components necessary for a nuclear detonation are isolated from their surroundings by placing them within a physical barrier known as an exclusion region. This barrier blocks all forms of significant electrical energy, such as lightning or power surges, even when the exclusion region is subjected to a variety of abnormal environments.
Incompatibility. It is critical to ensure only a deliberate authorized act activates the stronglinks and opens the energy circuit. The act can originate from human intent or the delivery environments of the weapon. A ballistic missile, for example, will travel through the atmosphere, into the exo-atmosphere, and back into the atmosphere in a predicable manner. Any deviation from this predicable trajectory will incapacitate the weapon. The stronglink serves as an electrical combination lock preventing weapon usage until deliberate action occurs. The combination to the lock is a complex pattern of binary pulses. To activate the stronglink switch, an operator must input the unique signal information when the weapon is ready for use. This information is converted into a unique pattern of long and short electrical pulses, which is the only signal that will activate the stronglink. Any other pattern is incompatible and will not activate the stronglink and will cause the switch to lock up and remain in a safe condition. Figure 8.3 illustrates the concept of incompatibility.
Each stronglink contains one pattern and can only be operated by receiving its unique pattern. Stronglink patterns are analyzed for their uniqueness to ensure they are incompatible with naturally occurring signals. This prevents natural phenomena like lightning strikes and static electricity from activating a stonglink. Additionally, stronglinks are engineered so that the probability of their accidental activation from a naturally occurring source is far less than one in a million.
Inoperability. At some level of exposure to an abnormal environment, the energy from the weapon’s surroundings becomes so intense that the barrier loses its integrity and melts or ruptures. Incorporating environmental vulnerability into weaklinks ensures nuclear safety. Weaklinks perform the opposite function of stronglinks. They must be functional for a nuclear detonation, but weaklinks are designed to fail at relatively low environmental levels, thus rendering the weapon inoperable. These levels are low enough to ensure the weaklink fails before the stronglink or exclusion barrier fails.
At the same time, weaklinks are designed to withstand abnormal activity experienced throughout the life cycle of the weapon. Ideally, the weaklinks are co-located with the stronglink so both components experience the same environmental assaults. Figure 8.4 is a diagram of the concept of inoperability.
Independence. Typically, two different stronglinks with different patterns are used in each weapon to provide the required assurance of safety. With independent stronglinks, a flaw may cause one stronglink to fail, but the other stronglink will still protect the weapon.
Insensitive High ExplosiveThe definition of insensitive high explosive (IHE) is found in the DOE Explosives Safety Standards which states that some explosive substances, although mass detonating, are so insensitive that the probability of accidental initiation or transition from burning to detonation is negligible. Those explosive substances that have been approved/qualified as IHEs, to date, are TATB (trinitrobenzene) and its formulations with polychlorotrifluoroethylene (PCTFE). IHE is less sensitive to shock or heat, making the weapon more resistant to accidental detonation than conventional high explosive (CHE). Not all weapons can be designed with IHE because IHE is heavier and takes up more space in the weapon than CHE. As a result, IHE is incompatible for some weapons designed to meet specific operational requirements.
Fire-Resistant PitAnother feature of enhanced nuclear weapons design safety is the fire-resistant pit (FRP). In an accident, plutonium can be dispersed if it is aerosolized by intense heat, such as that from ignited jet fuel. To prevent this, the nuclear weapon pit can be designed with a continuous barrier around it. This barrier is designed to contain the highly corrosive, molten plutonium for a sufficient amount of time to extinguish the fire.
Because of their unique characteristics and national significance, nuclear weapons demand the highest standards of security. Derived from Presidential policy directives, the employment of interrelated and supporting capabilities, principles, and practices are intended to protect nuclear weapons from unauthorized access, theft, damage, destruction, sabotage, or unauthorized use. Nuclear weapons security integrates technology, security forces, personnel assurance standards, and tactics, techniques, and procedures into a comprehensive security concept. This concept establishes a defense-in-depth framework that ensures the highest physical security standards are employed through the use of active and passive measures throughout a weapon’s life cycle.
The Departments are responsible for providing appropriate security for all nuclear weapons in their custody. Custody is defined as the responsibility for controlling the transfer, movement, and access to a nuclear weapon or its components. Inherent in these custodial responsibilities is control of the weapon and the custodial agent must secure the weapon to ensure positive control is maintained at all times.
DoDD 5210.41, Security Policy for Protecting Nuclear Weapons, establishes the DoD Nuclear Weapon Security Standard (NWSS). The objectives of the standard include:
The NWSS defines two fundamental tenets of nuclear weapons physical security. The first tenet is “to deny unauthorized access to nuclear weapons,” and the second is “failing denial, take any and all actions necessary…to regain control of nuclear weapons immediately.”
In order to meet the NWSS, the overriding objective of the nuclear weapons security system is to deter attempts at unauthorized access through the combination of physical security features, technology, and dedicated security forces. Together, the security capabilities support the NWSS and are commonly referred to as the five “Ds” of nuclear security: deter, detect, delay, deny, and defeat (Figure 8.5).
Deterrence is the overall goal of the security system and is achieved through the robust application of detection, delay, denial, and defeat capabilities. The inherent features of the physical security system and the capabilities of a dedicated security force visibly discourage adversary actions.
DetectDetection is achieved through effective entry control, vigilant patrolling, and observation supported by a suite of sensors and assessment devices specifically engineered and designed to meet NWSS objectives. Detection and assessment should be accomplished as far away from the nuclear weapon as possible and reported immediately to responding forces. Coupled with support from law enforcement, and with the intelligence community providing situational awareness outside the protected area, full spectrum detection is achieved.
DelayThe adversary path to a nuclear weapon is a function of time and is affected by the speed, distance, security force capabilities, and the mission tasks necessary to achieve unauthorized access. Delay is accomplished by prolonging the time it takes an adversary to obtain unauthorized access. The combined effect of physical security features and security force interdiction slows the advance of an adversary, thereby allowing security forces additional time to engage and defeat them.
DenyDenial is the combination of forces, technology, physical infrastructure, and information that denies an adversary strategic and tactical advantages such as surprise, concealment, and terrain. Denial technologies, security force tactics, and structures encompass the operational space from protected areas to a distance that provides the greatest tactical advantage for security forces. Denial can include technologies that have incapacitating or lethal capacity consistent with use of force rules.
DefeatIf denial fails, security forces and systems must defeat a hostile adversary and immediately regain control of the nuclear weapon. Dedicated security forces are organized, trained, and equipped to survive and prevail while tactically maneuvering to decisively engage and defeat adversaries.
DoD and NNSA regularly evaluate their capability to keep nuclear weapons secure. Through exercises, modeling and simulation, inspections, and corrective action, the Departments continue to evolve their tools, techniques, processes, and procedures. The DoD Force-on-Force (formerly the MIGHTY GUARDIAN) program is designed to test DoD and Military Department-level security policy and ensure the NWSS can be achieved wherever nuclear weapons, materials, and command and control facilities and platforms are operated. The process combines force-on-force exercises and engineering assessments to evaluate the effectiveness of nuclear security policy and standards with the goal of improving the U.S. nuclear security system.
To encourage collaboration and develop a standardized approach to nuclear security between DoD and NNSA, the Security Policy Verification Committee (SPVC) is an interagency body that meets bi-annually on nuclear security enterprise matters. From emerging threats and opportunities for joint exercises to pursuing common technological security solutions, the SPVC is a forum for sharing lessons learned and advancing nuclear physical security.
NNSA has programs similar to those of DoD to ensure the physical security of nuclear weapons and SNM in transport to and from NNSA locations, laboratories, and plants. Like DoD, NNSA evaluates its future security capabilities to ensure adequate security is provided to meet identified threats.
Both DoD and DOE have personnel reliability assurance programs to ensure personnel assigned to nuclear weapons-related duties are trustworthy. The DoD Personnel Reliability Assurance Program (PRAP) and the DOE Human Reliability Program (HRP) ensure trustworthy personnel possess the necessary judgment to work with nuclear weapons. Within physical proximity of nuclear weapons, unescorted access is limited to those who are subject to a DoD or DOE reliability program.
DoD-PRAP and DOE-HRP are designed to ensure the highest possible standards of individual reliability for those personnel assigned to nuclear weapons duties. They emphasize the importance of the individual’s loyalty, integrity, trustworthiness, behavior, and competence. The programs apply to all personnel who handle nuclear weapons, nuclear weapon systems, or nuclear components or materials, as well as to those who have access to nuclear weapons. DoD and DOE personnel reliability programs ensure authorized access to nuclear weapons is limited to those personnel who have been carefully screened and certified.
Before personnel are assigned to designated DoD-PRAP or DOE-HRP positions, a screening process is conducted that includes:
The certifying official is responsible for determining a person’s overall reliability and for assigning the individual to a substantive nuclear weapons-related position.
Once a person begins to perform duties in a DoD-PRAP or DOE-HRP position, the individual is periodically evaluated to ensure continued conformity to reliability standards. Any information raising questions or concerns about an individual’s judgment or reliability is subject to review. Personnel who cannot meet the standards are disqualified from the program and relieved of their nuclear weapons-related responsibilities.
The most important aspect of procedural security is the two-person rule, which requires the presence of at least two cleared PRAP- or HRP-certified, task-knowledgeable individuals whenever there is authorized access to a nuclear weapon. Each person is required to be capable of detecting incorrect or unauthorized actions pertaining to the task being performed. Restricted entry to certain sectors and exclusion areas based on strict need-to-know criteria reduces the possibility of unauthorized access.
The term use control refers to the collection of measures that facilitate authorized use of nuclear weapons but protect against deliberate unauthorized use. These measures include a combination of weapon design features and operational procedures.
Use control is achieved by designing weapon systems with electronic and mechanical features that prevent unauthorized use and allow authorized use. Not all use control features are installed on every weapon system.
Strategic nuclear missile systems and strategic heavy bomber aircraft use system coded control. Intercontinental ballistic missile (ICBM) crews require an externally transmitted launch code in order to dispatch a missile. Similarly, ballistic missile submarine (SSBN) crews require an externally transmitted authorization code to launch a submarine-launched ballistic missile (SLBM). Strategic bomber crews use a pre-arming circuit that also requires an externally transmitted authorization code to employ nuclear bombs or cruise missiles. The externally transmitted authorization code is received via nuclear control order or emergency action message (EAM), once authorized by the President.
A coded control device (CCD) is a component that may be part of or inserted into the overall weapons system to ensure proper use and control (via coded electronic or mechanical means).
The command disablement system (CDS) allows for manual activation of the non-violent disablement of essential weapons components, which renders the warhead inoperable. The CDS may be internal or external to the weapon and requires human initiation. The CDS is not installed on all weapon systems.
The active protection system (APS) senses attempts to gain unauthorized access to weapon-critical components. In response to unauthorized access, critical components are physically damaged or destroyed automatically. This system requires no human intervention for activation and is not installed on all weapons systems.
The Trajectory Sensing Subsystem is a feature placed in the arming circuit of a weapon providing both safety and control. It prevents inadvertent functioning of the circuit until the weapon is launched or released and experiences environmental parameters specific to its particular delivery system. For example, accelerometers are a common tool employed for this purpose, detecting when the delivery system is in flight, so that only then will the warhead arm itself.
A permissive action link (PAL) is a device included in or attached to a nuclear weapon system in order to preclude arming and/or launching until the insertion of a prescribed, discrete code or combination. It may include equipment and cabling external to the weapon or weapon system to activate components within the weapon or weapon system. Most modern U.S. PAL systems include a multiple-code coded switch (MCCS) component.
DoD has broad responsibilities in the area of nuclear weapons use control. DoDI S-3150.07, Controlling the Use of Nuclear Weapons, establishes policies and responsibilities for controlling the use of nuclear weapons and nuclear weapons systems. It describes:
Use control responsibilities of NNSA include the design and testing of new use control features and their installation into nuclear weapons. Additionally, the national security laboratories provide technical support to reinforce DoD use control efforts. The NNSA Nuclear Explosive and Weapon Security and Control Program comprises an integrated system of devices, design techniques, and other methods to maintain control of nuclear explosives and nuclear weapons at all times. These use control measures allow use when authorized and directed by proper authority and protect against deliberate unauthorized use (DUU). Major elements of the program include:
The use control program encompasses the development, implementation, and maintenance of standards, plans, procedures, and other measures. These include the production of equipment designed to ensure the safety, security, reliability, and control of nuclear weapons and components in coordination with DoD. NNSA conducts research and development on a broad range of use control methods and devices for nuclear weapons and assists DoD in developing, implementing, and maintaining plans, procedures, and capabilities to store and move nuclear weapons. NNSA also assists other departments in developing, implementing, and maintaining plans, procedures, and capabilities to recover lost, missing, or stolen nuclear weapons or components.
1 There is no universally accepted definition of the term “nuclear surety” within the U.S. nuclear community. For the purposes of this handbook we discuss surety in the context of safety, security, and control.
2 Colloquially, insiders refer to the “always/never rule.” Nuclear weapons must always work when they are supposed to, and never detonate when they are not supposed to.