PPRuNe Forums


Military Aviation A forum for the professionals who fly military hardware. Also for the backroom boys and girls who support the flying and maintain the equipment, and without whom nothing would ever leave the ground. All armies, navies and air forces of the world equally welcome here.

Reply
 
Thread Tools Search this Thread
Old 27th Sep 2016, 10:06   #41 (permalink)
 
Join Date: May 2002
Location: Scotland
Posts: 154
AK - It is all in the report, but to summarise; On a previous sortie the lap straps had been routed through the handle with the result that it had been partially pulled, but not enough to fire the seat. After that sortie the pin had been inserted in a way that DID NOT render the handle safe. Numerous checks failed to reveal the incorrect fitting of the pin and on the day of the accident it only took a "nudge" from the full and free check to cause the seat to fire.
Timelord is offline   Reply With Quote
Old 27th Sep 2016, 11:14   #42 (permalink)
 
Join Date: May 2007
Location: upstairs
Posts: 139
Tuc, the CPS prosecute as a result of the findings of the Police investigation. The HSE have the power to initiate prosecutions as a result of their investigation. Not many Agencies have this power, the only other which comes to mind is the CAA. In general the HSE only act when they find evidence of a gross breach of the duties in the HASAWA. This is a pretty tough test and such prosecutions aren't common. The HSE must have determined that MBA did something in breach of the duty or, perhaps more likely, failed to do something (or even can't prove that they did something).

EAP
EAP86 is offline   Reply With Quote
Old 27th Sep 2016, 11:47   #43 (permalink)
 
Join Date: Feb 2003
Location: uk
Posts: 2,572
EAP86

Thank you and agreed. In this case, it was notable that the CPS issued their statement before the Inquest and release of the SI report, so most observers were in no position to comment; least of all family. And, like others (e.g. Nimrod, C130, Chinook), the police refused to interview witnesses. To me, this suggests interference in the judicial process. As mooted above, Martin Baker may be the defendant, but probing questions will mean an unseemingly scrum to fill the dock with MoD and Ministers (I hope!). It is difficult to see how the HSE would have missed this, given the evidence before it, so perhaps it is a deliberate strategy?
tucumseh is online now   Reply With Quote
Old 27th Sep 2016, 12:01   #44 (permalink)
 
Join Date: Mar 2007
Location: Bristol Temple Meads
Posts: 757
If there was no safety case, who signed off to say that the risks associated with th operation of the Mk10 ejection seat were Tolerable and ALARP? This must affect all aircraft fitted with the same type of seat.

DV
Distant Voice is offline   Reply With Quote
Old 27th Sep 2016, 12:45   #45 (permalink)
 
Join Date: Apr 2010
Location: London
Posts: 5,332
" It is difficult to see how the HSE would have missed this, given the evidence before it, so perhaps it is a deliberate strategy?"

Indeed - a nice way to nail or at least embarass a lot of people who probably think they are safe and dry...............................
Heathrow Harry is offline   Reply With Quote
Old 27th Sep 2016, 12:52   #46 (permalink)
 
Join Date: Feb 2003
Location: uk
Posts: 2,572
Quote:
If there was no safety case, who signed off to say that the risks associated with th operation of the Mk10 ejection seat were Tolerable and ALARP? This must affect all aircraft fitted with the same type of seat.
And, as stated above, it follows there can be no valid Hawk safety case, and hence no valid Release to Service. As I said, it is inconceivable the HSE don't realise this will be raised in court. Perhaps the HSE don't think this is a gross breach (nod to EAP86) but I suspect those who rely on a robust RTS do. A false declaration on the RTS? Been there before, haven't we? Chinook. Nimrod. Sea King. Tornado..........
tucumseh is online now   Reply With Quote
Old 27th Sep 2016, 13:39   #47 (permalink)
 
Join Date: Feb 2006
Location: Hanging off the end of a thread
Posts: 12,768
So with this pending prosecution, are we to assume that all the seats have been modified since to remove the problem? Or are there still issues with them?
NutLoose is online now   Reply With Quote
Old 27th Sep 2016, 13:50   #48 (permalink)
 
Join Date: Jun 2002
Location: CYYC
Posts: 3,885
Quote:
Also, IIRC, on older design seats, the shackle bolt was shouldered and could not be over-tightened as such.
sugarplum,
That's very interesting. I've always been interested in ejection-seat mechanisms, doubly so since I rode a live seat many years ago, in a Vampire T11. So when I read the report about the Scampton accident, I found it hard to believe that anyone would design the shackle without a shouldered bolt.

Two general questions about Safety Cases. I've just looked them up on Wiki and ended up more confused than before.

When were Safety Cases introduced into the RAF?

Is there a public domain Safety Case that I can read?
India Four Two is offline   Reply With Quote
Old 27th Sep 2016, 14:03   #49 (permalink)
 
Join Date: Oct 2007
Location: York
Posts: 380
A little bit of background with seat servicing. When hawk seats were first in service they went to the station seat bay every six months for inspection/servicing. This was then extended to twelve months, then over time twenty four months. At that point at least the seat bay staff on base could go out to the sqns and inspect and advise if there was a problem (which did increase with the 24 month servicing cycle). Then they shut down the bay's for centralised servicing and gradually lost the expertise on units. In the early years of the hawk, ejection seat maintenance training was deleted from armament technician training and seperate course introduced for those destined to work in a seat bay. This made for few trained staff which gradually got less over the years after the bay's closed. Not for one minute saying this would have made any difference whatsoever to the incident, it's just a fact, I'm sure better folks than I looked in to it and declared it good practice and saving a shed full of money.
dctyke is offline   Reply With Quote
Old 27th Sep 2016, 14:23   #50 (permalink)
 
Join Date: Jun 2009
Location: France
Age: 73
Posts: 5,544
I42 - You and me both. In my uninformed way, I assumed someone in MoD said build a Rolls Canardly Mk II, Somewhere Dareospace built it, AAEE tested it to make sure it is up to spec and worked and was safely built. Ditto components like seats. Occasionally someone designed something, which someone else checks but although working with best endeavours cocks it up and the system is dangerous, eg fuel link up from probe in the Nimrod. Where does the "safety case" fit in, what does it do?
Wander00 is offline   Reply With Quote
Old 27th Sep 2016, 14:52   #51 (permalink)
 
Join Date: Jun 2009
Location: Baston
Posts: 1,186
Please for the ignorant may we have a definition of a Safety Case?
langleybaston is offline   Reply With Quote
Old 27th Sep 2016, 15:34   #52 (permalink)
 
Join Date: Dec 2006
Location: UK
Posts: 677
Langley,

i'll try to help. And it's not ignorance - there's a lot of definitions out there. Wikipedia supplied this generic definition, taken from UK Def Stan 00-56:

A Safety Case is a structured argument, supported by evidence, intended to justify that a system is acceptably safe for a specific application in a specific operating environment

00-56 is still extant and often called out in contracts. This is a perfectly usable Standard, but the MAA decided to go their own way and create a bespoke set of regulations for air safety management. Their definition is set out in RA1250 thus:

An Air System SC is an up to date, through-life body of evidence that presents a coherent safety argument that demonstrates that all credible RtL associated with an Air System have been identified, assessed and mitigated satisfactorily.

In aircraft terms, a Safety Case is written around a defined system (defined by its build standard) and its specific application is set out in the requirements against which the system (aircraft) was designed. The safety case may also include limitations against the original requirement to manage identified hazards. Evidence will include analysis, component testing, demonstrations, rig tests, ground tests, and finally flight test. It can also include read-across from other systems. It can also be supported by safety cases for individual equipments (like ejection seats) or, further down the chain, chunks of evidence sometimes called safety statements.

The chain then moves on, with Build Standard (configuration) and the Safety Case being used to build the Release to Service (RTS) recommendations, which the RTS Authority uses to build and release the RTS.

What this means is this: when you go and sign for an aircraft, you should be able to assume that the equipment you are strapping into has been thoroughly analysed, tested and certified as safe to use within the limitation in your publications. That's what the RTS should give you. Moreover, you should be able to assume that if anyone in your command and engineering chains have changed the configuration (or servicing) of the system, then that change has been fully checked, tested and analysed against the current safety case. Again, you get this via the RTS.

I hope you can see why people like Tuc and Chug (and me) have been so vocal about this one. The MoD did not hold a Safety Case for the Mk10 seat. If they didn't hold that, they should never have issued an RTS for the aircraft. As Tuc has said elsewhere, it's highly probable that Martin Baker had a perfectly good 'Safety Statement' for the seat, to get it past their own internal safety management system. However, that document may not have been kept up to date, or supplied to the MoD, as the funds to support that activity were slashed in 1993. So, somewhere between the Mk10 entering service and 2011, the MoD ceased to have a Safety Case for the seat. The public needs to know why. And ACAS needs to explain how he issued an illegal RTS.

Best Regards as ever to those working hard to keep our people safe

Engines

Edit - Tuc got in just after me with an even better response. Hope these help.
Engines is offline   Reply With Quote
Old 27th Sep 2016, 15:35   #53 (permalink)
 
Join Date: Feb 2003
Location: uk
Posts: 2,572
LB

The Safety Case is a structured argument, supported by a body of evidence, that provides a compelling, comprehensive and valid case that a system is safe for a given application in a given environment.

I've quoted Def Stan 00-56, but for example Boscombe Down and Westland use "Is the study of an aircraft or item of aircraft equipment to identify and show acceptability (or otherwise) of the potential hazards associated with it. The Safety Case provides a reasoned argument supported by evidence,establishing why the Design Authority is satisfied that the aircraft is safe to use and fit for its intended purpose". It is used to assist A&AEE in making (airworthiness) recommendations for a particular standard of aircraft".

Personally, I like the latter definition, mainly because it specifically mentions the build standard. Also, because it makes clear the Design Authority's responsibility, and talks of both aircraft and aircraft equipment (which MoD makes provision for in separate ways). In other words, the Def Stan was too simplistic, but served its purpose in the days when the target audience were taught this stuff at birth.

However, the first version is still ok. The "application and environment" bit means that a fundamental pre-requisite is a Statement of Operating Intent and Usage. (The Chinook Mk2 didn't have one, which is one of the things that buried MoD). All aircrew are required to have read and to have access to the SOIU. It forms the basis of the Aircraft Specification which the Build Standard(s) reflect. A version of the Safety Case exists against each Build Standard (in practice, a series of call-ups are used, in the same way drawings are controlled). The Release to Service is based on the Build Standard presented for trials.

It follows that SOIU, Build Standard, Safety Case and RTS must be maintained. This glider case is all about a breakdown of the process that does that maintaining.

There is seldom a "Safety Case" in the form of a single document - especially not on aircraft systems. What you have is a hierarchy of hundreds of not thousands of Safety case reports, which the Aircraft DA collates, forming a Whole Aircraft Safety Case. Trying to keep it simple here, but in this case MB would produce a Safety Case for the seat, which BAeS would subsume into the higher level Aircraft case. It is this process that determines, for example, why the ejection seat might be safe in a Hawk, but not in another aircraft. (Where the application bit comes in). Another example - this is one of the things that buried MoD on Nimrod XV230. The AAR modification/system was safe in one application, but not in the application to which it was put in Sept 2006. Similarly, C130 XV179.

Hope that helps.


Edit - sorry, Engines got in first.
tucumseh is online now   Reply With Quote
Old 27th Sep 2016, 15:43   #54 (permalink)
 
Join Date: Nov 2015
Location: Farnham, Surrey
Posts: 727
Quote:
Originally Posted by langleybaston View Post
Please for the ignorant may we have a definition of a Safety Case?
I doubt you will find an example of an aviation safety case in the public domain, but the [uk] requirement for them comes from standards like JSP-430 and Def Stan 00-56. The non-military HSE document R2P2 ("Reducing Risks and Protecting People") also has stuff to say about them.

As for a definition, 00-56 says:

"A Safety Case is a structured argument, supported by a body of evidence, that provides a compelling, comprehensible and valid case that a system is safe for a given application in a given environment".

That's about as succinct as it gets - the JSP version is much wordier and less clear as a result.

There is an inherent problem with safety cases - they are a verbal "argument". This means that for any complex system (anything much more complex than a penknife, actually) there are lots of words over lots of pages which need an expert to grasp, comprehend and critique. That was one of the issues in the nimrod case - the post-holder who contracted it knew exactly what should have been in it, but when it was delivered a few years later the current post-holder wasn't a safety specialist and could only assess it by weight ("thud-factor" as Haddon Cave called it).

To construct a meaningful safety case for a fast jet needs many thousands of hours of specialist engineering. Even just drafting it in any meaningful way involves a special symbolic language called "goal-structured notation" which is then fleshed out in text. Once it's created someone else then has to try to understand it to critique or approve it - arguably the only way to do this is to deconstruct it back to the symbolic form, and that takes another few thousand hours of specialist engineering effort. In the real world these skilled resources rarely exist in the quantities needed.

And of course for every slightest change in the system or its operating context the whole thing must be revisited to see if it invalidates (or just weakens) the arguments as presented.

Something like a bang-seat can't really have a safety case in its own right - it has it's contribution to the overall fast-jet training system safety case. Why? Well the acceptability of some safety mitigations can often depend on how and where it is used, stored & maintained.If the seat is sitting in stores it may be acceptable to mitigate a wear hazard under the seat pan by daily inspections, but this probably wouldn't be a viable argument when it's installed.

I know nothing about the Hawk case; the above is only a generic description of the items in question, in my personal opinion, as an engineer who happens to hold a safety engineering qualification.

E&OE,

YMMV,

PDR
PDR1 is offline   Reply With Quote
Old 27th Sep 2016, 15:45   #55 (permalink)
 
Join Date: Nov 2015
Location: Farnham, Surrey
Posts: 727
Well there's three engineers and three answers (although they agree in fact and differ only in opinion!).

PDR
PDR1 is offline   Reply With Quote
Old 27th Sep 2016, 15:46   #56 (permalink)
 
Join Date: Jun 2009
Location: France
Age: 73
Posts: 5,544
Engines/Tuc - thanks - I think I understand. But the I think I understand John Farley's book "A View From The Hover"!
Wander00 is offline   Reply With Quote
Old 27th Sep 2016, 15:59   #57 (permalink)
 
Join Date: Feb 2003
Location: uk
Posts: 2,572
If I could just add something. There are various levels of Safety Cases and Engines and I are (naturally) talking of that compiled and maintained by the DA and project teams. But you must always consider that the aircraft is not in itself a "system". A higher level system exists which includes the aircrew, maintainers and so on. The RTS includes a list of authorised Aircraft Technical Pubs for example, and it is the role of named individuals in MoD to ensure they remain valid and everyone is trained correctly in their use. So, if the FRCs are wrong (or blank as in the case of Chinook) there is a serious failure which is not the responsibility of the original designer. Similarly, if the aircraft is put to a use which is prohibited (again, Chinook) then the designer cannot be blamed. This structured approach makes it very easy to see where the breakdown occurred. In this case, I'm still struggling to understand why the HSE can't see MoD's offences. I hope MB fight their case. This could be the catalyst for the much needed scrapping of the MAA and resurrection of old, mandated policies.
tucumseh is online now   Reply With Quote
Old 27th Sep 2016, 16:05   #58 (permalink)
 
Join Date: Feb 2003
Location: uk
Posts: 2,572
PDR1

Quote:
Well there's three engineers and three answers (although they agree in fact and differ only in opinion!).
Like it. But the point is, if each of us implemented mandated regulations, physical and functional safety would be assured, as far as possible. Each of us would bring our own experience and training to bear, and our approaches might differ a bit, but the output would be the same. But MoD doesn't implement its own regs, and its definition of functional safety is positively dangerous. And it would seem it doesn't require output!
tucumseh is online now   Reply With Quote
Old 27th Sep 2016, 16:32   #59 (permalink)
 
Join Date: Nov 2015
Location: Farnham, Surrey
Posts: 727
I have to say my own experience is different, but then my experience was primarily with the Harrier II and stopped when it left RAF service (December 2010). At that stage the MAA regime was still "work in progress" in many areas. But on the harrier platform we had a full safety case with supporting evidence that went through MAR Recs into the RTS production, and the arguments were traceable to specific features of the design & operating context. A major part of the GR9/9A/T12 upgrade was ensuring the validity of the safety case remained for the new configuration. But to do it we had a team of specialist system safety engineers, and they spent weeks working in collaboration with Harrier IPT specialists to ensure there was a common understanding of the safety case as written.

If you know of this company you'll also know that at that time each aircraft project was a separate "sovereign entity" with its own procedures and approaches, so I have no idea what they did on the Hawk projects.

Actually I was pleasantly surprised that three engineers only gave rise to three opinions - normally I'd have expected at least five...



PDR
PDR1 is offline   Reply With Quote
Old 27th Sep 2016, 16:33   #60 (permalink)
 
Join Date: May 2007
Location: upstairs
Posts: 139
A bit of history may help. In the late 80s early 90s the ADRP commissioned a safety consultancy to review their current safety arrangements and make recommendations. I think the Piper Alpha inquiry had recently found the safety case approach quite compelling and the consultancy recommended MOD take the concept on board. The concept appeared in Def Stan 00-56 around the same time but perhaps wasn't well understood by many. I can recall confusion in PTs and it's perhaps not surprising that each ended up with a different SC approach and format. In hindsight it might be that more time could have been spent on the management of the introduction of the change. I suspect that there are still ongoing issues but that might be another thread.

EAP
EAP86 is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT. The time now is 02:41.


1996-2012 The Professional Pilots Rumour Network

SEO by vBSEO 3.6.1