Strong link/weak link
A strong link/weak link and exclusion zone nuclear detonation mechanism is a type of safety mechanism employed in the arming and firing mechanisms of modern nuclear weapons.[1]
The safety mechanism starts by enclosing the electronics and mechanical components used to arm and fire the nuclear weapon with a mechanical and electrical isolation barrier, the energy barrier,[2] which encloses and defines the exclusion zone. This is insulated from mechanical, thermal, and electrical disruptions (such as static electricity, lightning, or fire).[3]
Between the exclusion zone and the actual detonators, a normally-disconnected link mechanism is used, such as a switch which has a built-in motor to activate it. The arming system has to activate the switch in order to connect the firing circuits to the detonators in the weapon. This disconnection, which requires the arming mechanism to operate, is called the strong link.
It is possible for an accident (rocket explosion, airplane crash, accident while weapon is being moved) to disrupt the weapon and break the integrity of the exclusion zone. As a safety mechanism, a weak link is also built into the system. This is a set of components designed to fail at lower stresses (thermal, mechanical, and electrical) than the strong links, and will prevent signals from the strong links from reaching the detonators. The weak link acts to break the connection to the detonators before the strong link could be disrupted and fail by the stress of an accident: by the time the strong links fail, the weapon has already been rendered permanently inoperable.[2] Strong links and the following weak links are intentionally co-located, so that they will experience similar environmental conditions.[4]: 71
The following table summarises the effects of failure modes in the strong and weak links:
Strong link condition | Weak link condition | |||
---|---|---|---|---|
Intact | Failed (open) | Failed (closed) | ||
Intact | No signal | No signal passed though energy barrier | No signal passed though energy barrier (and open weak links) | This state is designed to be impossible |
Signal to fire | Intentional detonation | Failed weak links prevent detonation | ||
Failed | Open (no signal) | This state is designed to be impossible | No signal passed though energy barrier (and open weak links) | |
Closed (passing signal, even if incorrect) | Failed weak links prevent detonation, despite signal from failed-closed strong links |
Strong links
Strong links, at least in US nuclear weapons, are always implemented as electro-mechanical systems such as motor-driven switches.[2] There are two main requirements: when functional, never to allow an invalid signals to penetrate the energy barrier, and never to fail in a way that can pass a signal though the barrier before the weak links inside the exclusion zone have also failed.
The MC2935 and MC2969 devices were two similar devices based on a rotary solenoid, acting, respectively, as "trajectory" (passing a signal only when a missile's physical movement indicated a correct launch) and "intent" (signalling that a detonation is desired by the operator) strong links.[2]: 6
The Mechanical Safing and Arming Device (MSAD) strong link device used a small pellet of sensitive high explosive to trigger a larger charge of insensitive high explosive. Normally, the pellet was held away from the main charge, and was physically moved into position only when the strong link was activated by a valid input and detonated by a mechanical "slapper". The MSAD also contained a weak link: the pellet would burn or explode harmlessly in a fire when it was not in position, and the insensitive explosives could not then be detonated at all.
Multiple strong links could be used in series, which, when properly designed, multiplies the safety factor.[5]: 44 . The B61 nuclear bomb, for example, gated the trajectory strong link behind the intent strong link. Until the correct intent unique signal was sent, the trajectory unique signal would not even be presented to the trajectory strong link inputs.[5]: fig. 44
Unique signals
Strong links implement a mechanism where only a single, unique form of energy may enter the exclusion zone. This energy is encoded as a unique signal: a sequence of "events" which must occur in a precise and preset pattern for the link to activate. This pattern is specifically designed to be extremely unlikely to occur by chance.[6]: 18 The pattern is checked for validity by a discriminator. In some devices, known as single-try discriminators, an incorrect event pattern leads to the device becoming inoperable: the weapon cannot then be reset and fired remotely. "Multiple-try" discriminators could be reset remotely. A single-try strong link might have an event sequence of 24 events, whereas a multiple-try device would have more: the MC2969 had 47.[7]: 54 .
Unique signal patterns were always the same for a given strong link discriminator, and were not secret or classified: they were designed only for safety purposes and not security.[8]: 5,37 . Each strong link had a different signal, so as to avoid the possibility of common mode failure.
Unique signals were used, because it was recognised that it was impossible to fully isolate the strong link from any and all electrical sources in an "abnormal environment" (such as a disintegrating aircraft). By encoding the only valid signal as a unique pattern of information, the safety principle of "incompatibility" was introduced: the signal is "incompatible" with all other electrical energy because the information that makes up a unique signal is not present in any other components (such as signal buffers or storage). Therefore the channel over which the UQS is transmitted does not need to be proven to have a safe response. Only the signal generator and the strong link need to be proven to have safe behaviour until such time as the weak links render the weapon inert.[7]: 1 .
Critically for maintaining this safety, the strong link discriminator must be the only place in the entire system where "decisions" are made, and the transmission channel must never be permitted to retain knowledge of events, handle multiple events at once or re-order events. That may permit a single action to generate multiple signal events.[7]: 38 Additionally, all events must be processed identically: to do otherwise constitutes pre-storage of knowledge of the UQS and biases the channel,[7]: 35 Events may be sent or received in any format (e.g. digitally, as voltage levels, mechanically, etc) as long as these conditions were met; format translation is also permitted as long as the translators transmits each event before processing the next one.[7]: 37
Unique signals were usually encoded as sequences of binary data (though strictly the data did not have to binary, it was deemed that the longer sequence was outweighed by the simpler implementations). Unique signals were carefully designed to have statistical properties extremely unlikely to exist unintentionally, and were also designed to be transmitted not only electrically via voltage or pulse-width modulation, but also mechanically (e.g. a push-pull rod), optically or pneumatically.[7]: 6 Events are described alphabetically, rather than numerically (e.g. 0 and 1), to avoid confusion with specific physical signals; a two-event sequence would have "A" and "B" events. [7]: 30
Examples of statistical weaknesses that undermine safety properties include sequence symmetry, periodicity, repeated events, imbalances between events (event-wise balance: almost equal numbers of "A" and "B" events), imbalances between pairs (pair-wise balance: "AA", "AB", "BA" and "BB" should be almost equal in occurrence) and correlations with other unique signals (as this would permit events from a different UQS to bias this one).[7]: 30 [6]: 18
Testing signals
Testing and training signals that would ever be transmitted to a weapon were also carefully chosen to be statistically weak unique signals, which would still also test the integrity of the signal transmission system. This was done so that a test signal could never be mistaken for a genuine signal, which would have strong statistical properties. Thus the test signal would be very different and could never be mistaken for the valid UQS.[7]: 30
In order to test the unique signal generators, devices such as the CM-458/U Signal Comparator were used (which tested the DCU-201 or DCU-218 Aircraft Controller, which passed the unique signal to the weapon's MC2969 intent strong link), which would check that the signals that would be passed to the strong link were correct. The CM-458, built by Sparton Technology, tested voltages, pulse widths and signal sequence against the fixed sequence for the strong link, and was mounted on the aircraft pylon in order to also test the aircraft wiring.[8]: 5
Weak links
The weak links, which follow the strong links, are designed to fail earlier than the strong links. There are many kinds of weak link, which are sensitive to conditions including thermal, electrical or mechanical problems. Some weak links are dedicated devices inserted into the signal paths that function only as weak links, and others can also be critical parts of the weapon that are designed to become inoperative under certain conditions.
An example of a weak link that is sensitive to temperature are the capacitors in the firing set which are charged in order to then discharge to trigger the detonators. These can be deliberately designed to fail when a specific high temperature is reached, which will prevent the firing set from being able to detonate the explosives.[2]: 6
Limitations
These mechanisms do not prevent misuse of the weapon, which is restricted by Permissive Action Link code systems, or an accident from physically causing initiation of the explosives or detonators directly from extremely high temperatures, impact forces, or electrical disturbance such as lightning. The risk of accidental direct detonation is significantly reduced by using insensitive high explosives such as TATB, which is extremely unlikely to detonate due to fire, impact or electricity. While TATB may decompose or burn in a fire, it is extremely unlikely to detonate as a result of that decomposition or burning.
References
- Steven M. Bellovin. "Permissive Action Links". Archived from the original on 2022-04-30. Retrieved 2007-03-11.
- Elliott, Grant (2005-12-12), "US Nuclear Weapon Safety and Control" (PDF), MIT Program in Science, Technology, and Society, archived from the original (PDF) on 2012-06-19, retrieved 2022-05-07
- Permissive Action Links, Carey Sublette, at the Nuclear Weapon Archive, accessed March 11, 2007
- DTIC ADA520718: Nuclear Matters. A Practical Guide, Defense Technical Information Center, 2008
- SAND88-2986: Interim Development Report for the B61-6-8 bombs, Sandia National Laboratories and Los Alamos National Laboratory, 1989-05-01, retrieved 2022-05-09
- 23rd Aerospace Mechanisms Symposium, NASA, 1989-05-05
- SAND91-1269: The Unique Signal Concept for Detonation Safety in Nuclear Weapons (PDF), System Studies Department, 331, Sandia National Laboratory, 1992-12-01, archived from the original (PDF) on 2022-03-02, retrieved 2022-05-07
- Warren G. Merritt; David Kestly (1980-06-01), SAND80-1268: CM-458/U Signal Comparator, Sandia National Laboratories, doi:10.2172/5375683, retrieved 2022-05-09