I am trying to follow the discussion in this thread but really struggling to keep up. It's clear to me (and many others) that there have been very serious failings in safety management for the Nimrod over a number of years. I believe that these failings are to some extent endemic in MoD air safety management in general. Efforts are being made at senior levels within the MoD to address these failings and I believe that we are likely to see the biggest changes in MoD safety management since the Safety Case concept and culture was adopted (in the early-mid 90s, I think). Whether those changes are sufficiently wholescale to seriously improve MoD safety management and satisfy critics is to be seen.
Notwithstanding the above, I don't know whether the Nimrod is currently safe to fly. But I do believe that many of the claims and arguments being made in this thread in support of the view that it is not currently safe to fly are faulty.
First an absolutely key point.
The concept of safety, as defined by MoD policy and regulation (see Def Stan 00-56, POSMS, etc.), depends crucially on how a system or equipment is used and maintained. It makes no sense to talk of a system or equipment being safe (or that the risks associated with that system or equipment are ALARP) without a context of use and maintenance. Thus, statements about whether or not Nimrods are safe to fly (or whether the associated risks are ALARP) should only be made together with a context of use and maintenance that, for example, defines whether or not AAR happens or not. I suspect all of us fall foul of this issue from time to time, even those of us who understand it very well (and I include Qinetiq in this - see below).
Why do I make this point about context? Because people are talking/writing about things (e.g., Nimrods) being "safe" or "unsafe" when it's often unclear what context of use and maintenance is being referred to. I don't know whether the Nimrods should be flying at the moment. I.e., I don't know whether it is safe to fly Nimrods IN THEIR CURRENT CONTEXT OF USE AND MAINTENANCE (note, not how we used to fly them ... not how we hope to fly them in five years time ... but how we are currently flying them).
Those on this thread who say that the Nimrods are not currently safe to fly cite a number of Qinetiq reports; principally this one:
"Nimrod Fuel System Safety Review Report", Oct 2007, Issue 1
This contains the thirty recommendations that are often cited in this thread. In particular, Distant Voice and davejb (see below) both refer to this report. DV writes:
He, like many of us can not get our heads round the following:
[...]
(2) QinetiQ produce a draft report "for comments" in Sept 2007. This was a most unusual step, because QinetiQ normally issue the report directly.
For what it's worth, there is nothing remotely unusual about QQ issueing a draft report for comment. It happens all the time.
(3) The report was adjusted, where the pharse "tolerbly safe" was added. MoD refuse to comment on this, because they claim the all copies of the draft report have beem destroyed.
This intrigues me. DV, how do you know the insertion of the phrase was an adjustment? I find it all too believable that it was inserted on MoD request. In my experience, several air IPTs are inclined to make statements to the effect that their aircraft are "tolerably safe" (meaning that the risk is tolerable though not necessarily ALARP) as though this was some sort of important achievement. There seems to be a collective desire to ignore the fact that acheiving ALARP is the requirement, not "tolerably safe".
(4) Issue 1 of the report was produced in Oct 2007, in which it is stated that the system is not ALARP, and can not be considered to be ALARP until 30 recommendations are complied with. MoD's Def Stan states, not ALARP then not safe.
I can't find anywhere in the report where it says that all 30 recommendations have to be implemented before the Nimrod fuel system risk is ALARP. The report does state:
"the recommendations [...] should be considered and acted upon, where appropriate, before it can be considered that the equipment risks are ALARP"
The difference between this and what DV wrote is that QQ are only saying that the recommendations "should be considered and acted upon, where appropriate", not that they must be complied with (to achieve ALARP). This is probably because QQ do not know whether all of the recommendations are necessary to achieve ALARP. In general, determining that a risk is ALARP or even just determining whether a particular risk reduction is "practicable" (in the sense of ALARP) is a complex business. As far as I can tell, the QQ report contains no ALARP analysis at all, i.e. for none of the recommendations is there a comparison of the costs and benefits of implementing the recommendation (for many of the recommendations, this is for a very good reason - see below). QQ don't know whether all of the recommendations are "practicable". Consequently, they only conclude that the recommendations "should be considered and acted upon, where appropriate, before it can be considered that the equipment risks are ALARP". Effectively, they are asking the IPT to do the ALARP analysis and consider the costs and benefits of the recommendations. I don't know whether the IPT has done this but their statements concerning the recommendations are, I think, at least consistent with them having done so.
Changing tack, the QQ statement:
"the recommendations [...] should be considered and acted upon, where appropriate, before it can be considered that the equipment risks are ALARP"
is misleading in a few ways, in my opinion. Most importantly, I can not tell what context of use and maintenance is being talked about. If it's missing, this is quite a serious flaw in the report so I hope it's just that I can't find it - does the report clearly state the context of use and maintenance in question? Unfortunately, in the absence of such information, it's difficult to be clear what exactly QQ are saying about the safety of the Nimrod fuel system.
Having said that, I don't believe that the QQ statement above refers to the way that the aircraft was being operated and maintained at the time of the report. Why? Because the very first recommendation is (text in square brackets is mine):
"The current operating limitations imposed by SD [Service Deviation] and the additional maintenance activities invokeds through RTIs [Routine Technical Instructions] mitigate the fuel system risks to acceptable levels. Changes to such mitigating action must be supported by appropriate evidence"
If QQ are saying that the risks are (currently) "acceptable", then they are saying they are ALARP. Thus it seems that QQ are saying that the risk of the Nimrod fuel system, in the context of use and maintenance extant at the time the report was written, is ALARP. Hence they must be talking about some other context of use and maintenance when they state:
"the recommendations [...] should be considered and acted upon, where appropriate, before it can be considered that the equipment risks are ALARP"
Unfortunately, as far as I can tell, QQ don't tell us what that context is (like I say, a serious flaw, in my opinion).
I also think the QQ statement is misleading because I think many of the recommendations are concerned with generic good safety management. They are not directly relevant to the ALARP status of the risk of the fuel system.
Back to DV:
(5) On 4th Dec 2007, Des Browne boasts "QinetiQ has conducted an independent investigation and confirm that, in light of the measures taken since the crash, the fuel system is safe to operate" - Wrong, wrong, so wrong. At the time none of recommendations had been implemented, and AAR was still in opertion at the time the report was written.
In respect of reporting QQ's conclusions, I'm not clear Des Browne was wrong - see above. However, whether QQ's conclusion contained in the first recommendation:
"The current operating limitations imposed by SD and the additional maintenance activities invokeds through RTIs mitigate the fuel system risks to acceptable levels."
was correct or not is another matter. Was it the case that AAR was only still happening due to operational imperative (i.e., in perhaps the only context in which a failure to achieve ALARP could be allowable)?
If I'm right that QQ were claiming that the Nimrod fuel system was ALARP in its context of use and maintenance at the time the report was written, an obvious question is why did the coroner and Nimrod IPTL, Hickman apparently contradict this? The short answer is I don't know. When either of them were making their statements about ALARP, was the context of use that they were referring to well-defined? If not, it is very hard for us to know what they were speaking of. The coroner can only do as well as the evidence he is given so I'll ask the question of Hickman's evidence. Do we know for fact that Hickman was talking in the context of how the aircraft was being operated and maintained at the time he was questioned? If not, his statements on the ALARP status of Nimrod risks have no obvious relevance to the question of whether or not the Nimrods were safe to fly at the time of the inquest (or now).
I think it is entirely possible (I would even say quite likely) that Hickman made his claim about the ALARP status of the risk of flying the Nimrods in the context of how he hopes they will fly when all the QQ recommendations are implemented, not how they were flown at the time.
davejb wrote:
1) The RAF considers an aircraft airworthy provided the risks associated with operating it are reduced to ALARP.
This statement would certainly be correct according to regulation and policy if it said, "The RAF considers an aircraft *safe* provided the risks associated with operating it are reduced to ALARP". I don't really understand "airworthiness". I know the definition in JSP 553 but it is vague and has no obvious connection with ALARP.
2) The RAF asked Qinetic to report on the MR2, and were told there were 30 items to fix to make MR2 ALARP.
Not quite true - see above.
5) 21 (was it?) items have been agreed by the RAF as requiring a fix, but the fixes haven't been done yet - until these are fixed presumably Nimrod MR2 isn't ALARP?
Not necessarily. Let me rephrase (5) as, "until these are fixed presumably the risk of operating the Nimrod MR2 fuel system in its current context of use and maintenance isn't ALARP?" The answer then depends on what (different, I believe) contexts of use and maintenance relate to the recommendations in the QQ report and the way the aircraft is currently operated. It may be that the aircraft is currently operated and maintained in a way that renders QQ's recommendations unnecessary to achieve ALARP.
It's also not necessarily true in another way. As JFZ90 has pointed out a couple of times, the ALARP status of a risk depends crucially on how long that risk is incurred. It's perfectly possilbe for a risk to not be ALARP when considered over the life-time of the Nimrod fleet but to be ALARP over a more limited period, e.g. whilst various recommendations are implemented to make the risk ALARP in the long-term. This would be consistent with legal and MoD regulatory requirements in respect of ALARP.