Right at the beginning of this thread, Safeware quoted the Haddon-Cave report (HC):
There is no such thing as ‘tolerably safe but not ALARP. Risks are either ‘tolerable and ALARP’ or intolerable
and then asked:
does
Quote: ‘tolerably safe but not ALARP’
then make sense in the real world beyond Def Stan definitions?
I don't think so. At least not in the sense that Safeware is enquiring (for risks that are just a little higher than "broadly acceptable").
I think I criticised Qinetiq's (QQ) use of the term "tolerably safe" in one of my posts on the Nimrod thread, mostly because they didn't define it (and it isn't defined in any authoritative document that I know of). Even if Safeware has a point (though see below) and QQ intended a similar usage to that he intends, they should have defined the term. They're not the only offenders - many air IPTs have done the same.
As it goes, I have been told that the term "tolerably safe" was introduced to military air safety as "weasel words" to help justify continued operation when you have tolerable risks that have not been demonstarted ALARP. I.e., not to cover the situation that Safeware describes when your risk is just a little higher than "broadly acceptable" but any situation when your risks are tolerable but not necessarily ALARP.
Of course, there is intuitively something intrinsically more acceptable about a risk that is only a little higher than "broadly acceptable" as opposed to one that is just short of "intolerable". But that is factored into the difficulties of demonstrating the two risks ALARP. Basically, the first will very likely be easy to demonstrate ALARP (unless it really is risk without any benefit) but the second will be virtually impossible to demonstrate ALARP.
Flipster wrote:
What worries me is who apportions the 10p-6 or 10p-5 etc for the MoD airworthiness processes involving catestrophic failures eg Herc Fuel Tanks, Nimrod Dry Bays, Sea King HISLS, Chinook FADECS etc?
Where do these probabilities come from?
In principle, whenever a target like this is allocated, it should be justified. In practice (in my experience), the justification is often missing. Def Stan 00-56, Issue 2 (we're now at Issue 4) contained an example risk matrix. The intention was that IPTs would select and justify their own risk matrix, with agreement from stakeholders, but because so many were clueless about how or why, they just adopted the example risk matrix ... even if it was inappropriate for their circumstances.
It is possible to use sound criteria to "design" project-specific risk targets, e.g. in a risk matrix. You can use risk matrices already used for similar equipments in similar contexts (e.g., consider using the Typhoon risk matrix for JSF), design one from scratch according to higher-level criteria (e.g., the HSE annual risk of individual death criteria that Safeware mentions in his first post on this thread, the JSP 553 1E-6 cumulative risk target or the civil aviation targets that Safeware also mentioned - all of these have something of a higher level justification sitting behind them too), design one that implies safety performance no worse (or preferably better) than the equipment currently exhibits, etc.
nigegilbert:
I agree with [HC's] assertion that MoD need to re-establish the post of Chief Engineer
There's a Defence Chief Airworthiness Engineer already in place - Air Marshal Kevin Leeson.
http://www.blogs.mod.uk/defence_news...er-2009-1.html