Tapper's Dad:
The ALARP (As Low As Reasonably Practicable) principle provides a means for assessing the tolerability of risk. In essence, it says that if the cost of reducing a risk outweighs the benefit, then the risk may be considered tolerable.
Replace "tolerability" by "acceptability", and "tolerable" by "acceptable" in the above and it would be more correct. "Tolerability" and, especially, "tolerable" are loaded words with specific meanings in the context of risk assessment so it would be more correct to use "acceptable" and "acceptability" (with generic meanings).
However if the risk to the aircraft is explosion or fire, then the benefit of reducing the risk is great. It follows that the cost of reducing the risk would have to be very high in order to say it was tolerable.
(Substitute "acceptable" for "tolerable" again.) This ignores the probability component of risk. If the probability of explosion or fire is very small then the risk is also small and so the cost of risk reduction would not need to be so high to sustain a claim that the risk was ALARP and *acceptable*.
So when Tapper's Dad writes,
What cost would be “grossly disproportionate” to save the lives of 14 men and one Nimrod Mk2?
the answer depends on what associated probability is. If it could be shown that this probability was *correctly* assessed as being very very low, then the answer would be not much money at all. I.e., the risk could have been correctly considered ALARP. I emphasise the word "correctly" because, of course, this was the fundamental failing of the Nimrod risk assessment prior to the disaster. They very badly (negligently in my opinion, and that of Haddon-Cave, I think) underestimated the risk.
This is where I think the term tolerably safe stems from
I doubt it very much. (JFZ90 and Mick Smith as well,) see my post #46 in this thread.
I didn't see anywhere either in the BOI or Safety Case where the cost of reducing a risk was discussed or assessed
I don't know/can't remember whether Nimrod IPT even assessed the ALARP status of the risks associated with the XV230 disaster. But the fundamental point was that they completely mis-assessed that risk. ALARP determination is secondary to risk estimation. If you severely underestimate the risk, as Nimrod IPT did, whether or not you do an ALARP assessment (correctly) tends to be irrelevant.
As you say ...
I believe therefore that the XV230 was neither 'tolerably safe' nor ALARP as the risk in Dry Bay 7 was never assessed correctly and the mitigation put forward was erroneous.
(Best not to use the term "tolerably safe".) Possibly the risk of operating XV230 was "tolerable" (in the specific meaning of that word in the risk assessment context). But this is not enough. It needs to be tolerable and ALARP. It was certainly never demonstrated ALARP (correctly) and it seems extremely unlikely that it was ALARP.
Tapper's Dad quotes Haddon-Cave
Chapter 19 of thee HC review says:
(3) The meaning of “Airworthiness” is not sufficiently understood;
(4) The meaning of ALARP is not sufficiently understood;
I agree entirely. I could write an essay on the term "airworthy" (personally, I would like to see the term scrapped because it is so ill-defined - we should just use the term "safe" instead). I have written essays on the meaning of "ALARP". It's a contentious principle for determining the acceptability of risk and, in my opinion, one of the best reasons for dumping it is its complexity and difficulty.
Having said all that, Haddon-Cave betrays a possible lack of understanding himself:
11.322 This report sowed much confusion. There is no such thing as ‘tolerably safe but not ALARP’. Risks are either ‘tolerable and ALARP’ or intolerable
I don't think this is true. Risks can be "tolerable" but not ALARP. The language of risk assessment ("tolerable", "broadly acceptable", etc.) is unfortunately pretty badly put together but we are stuck with it now (like "airworthiness"?). So it doesn't surprise me that Haddon-Cave doesn't seem to have quite got it right (or his understanding of ALARP and Safety Cases) but it does suggest to me that it would have been better had he retained someone who could authoratatively advise him on risk and safety technical issues, e.g. Professor John McDermid (who is acknowledged in the report but didn't actually fulfill that role) or a senior HSE person.
SirPeterHardingsLovechild:
I would expect people involved in Airworthiness to have a definition of it framed on the office wall, but I'm a picture framer.
In my experience, most people involved in MoD safety don't actually know what the MoD definition of "safe" is. Ok, you might say, they could always look it up if they needed it. But they don't! I have seen so many MoD Safety Cases and safety assessments and the majority (yes - the majority!) use the wrong definition of "safe". It is pitiful.
So I'm not surprised if the same people don't know the definition of "airworthiness" or "ALARP".
JFZ90:
The report did not make it clear however that from a risk perspective it was reasonable to take x months to conduct this further risk reduction and continue flying - i.e. they thought it was tolerably safe. Hence it was flawed to state that it wasn't ALARP - it should have stated it was tolerably safe but a timely seal replacement programme should be implemented to address residual risk. This would be more consistent with established procedure - i.e. similar to post TWA800 Airworthiness directives where airlines were given years to rectify safety risks over a "reasonable" timeframe (hence this was ALARP decision making).
Hence, if the IPT asked for "tolerably safe" to be included* (i.e. properly reflected) then they were in fact just trying to get QinetiQ to write their report properly.
[...]
the report should have said "tolerably safe"
and in a later post:
If you accept for a moment that the report should have said "the system is tolerably safe" and not erroneously mentioned ALARP
This second quote manages to get the situation completely wrong. See my post #46 in this thread. The report was absolutely not erroneous in mentioning ALARP. It was erroneous in mentioning "tolerably safe". This is precisely the point Haddon-Cave makes (and I agree completely with the first two paras of Mick Smith's post #89). Firstly, the term "tolerably safe" should not be used without definition (and preferably not at all). Further, you do not write a report "properly" by using ill-defined terminology and it is definitely not the case that "they were in fact just trying to get QinetiQ to write their report properly". If the inclusion of the words was at the behest of the Nimrod IPT, I would be very surprised if it was anything other than an attempt to make the situation sound less bad that it was, i.e. "weasel words".
Secondly, my recollection of the QQ recommendations to address ALARP is hazy but I do recall they included some that would be considered fundamental good practice. It is generally considered (i.e., it is HSE guidance) that to demonstrate a risk is ALARP, it is necessary to apply all relevant good practice. Ergo, the non-ALARP status was nothing to do with timely implementation of risk reduction.
At the end of this post, I write more on the temporal aspects of ALARP.
JFZ90 quoted Mick Smith's blog:
Under the MoD’s own safety rules, if the risk to the aircraft is only “tolerable” it must also be ALARP.
This is potentially misleading as it suggests that "tolerable" risks are automatically ALARP, which is not the case. It would be correct to say, "if the risk to the aircraft is “tolerable” it must also be shown to be ALARP".
JFZ90 in another post:
In any other circumstances an extension to the timeframe may have been considered/granted on the basis of risk, but I suspect this was not sought on the basis of political grounds
Although I don't know precisely why the Nimrods are grounded, I agree with the principle of this. The ALARP principle is only one means of deciding whether a risk is acceptable (it just happens to be a necessary one).
Some more words about the temporal nature of ALARP.
Nigegilb wrote:
Maybe I misunderstand something now. How could Nimrod be ALARP with a time line? Surely it is either ALARP or it isn't?
It is much much more complex than this. Leaving aside the fact that ALARP is a property of the risk of the way an aircraft (or other equipment) is operated, not just a property of the aircraft itself, e.g. see
http://www.pprune.org/military-aircr...ar#post4214180
there is, as Haddon-Cave alludes to, a temporal aspect to ALARP ...
Within MoD safety circles, there a is principle doing the rounds that is often referred to as "temporal ALARP", though use of this precise term is discouraged. The idea is roughly as follows. If you identify a (single) risk reduction that is necessary to reduce a risk ALARP and if that risk reduction would necessarily take some time to implement (e.g., a significant design change to a fuel system) then you may claim the risk is ALARP pending implementation of the design change as soon as practicable (and afterwards as well). There are (at least) three flaws with this.
1. You must show that the risk of operation pending implementation of risk reduction is ALARP. It might seem obvious that you can't do this. After all, that is why you are implementing the long-term risk reduction. But this ignores the exposure aspect of ALARP. In essence, the longer your exposure to a risk, the less likely it is to be ALARP (because that risk is more likely to precipitate an accident(s)). So it is possible, in principle, to demonstrate that the risk of operation pending implementation of the long-term risk reduction is ALARP. However, the "temporal ALARP" principle, as I've always seen it stated, does not require an explicit consideration of ALARP status pending risk reduction. And it is always possible to reduce that risk, e.g. by taking the equipment out of service (grounding an aircraft). There is, effectively, an assumption that the operational imperative makes removal from service impracticable but this assumption does not always hold.
2. So you decide to implement long-term risk reduction, e.g. a design change, as soon as practicable. What's to stop you from constantly delaying that design change, letting it slip to the right, etc? (not a problem with the principle itself but a problem with its application). I have seen this happening already.
3. The principle is already being abused. It was intended to be applied, where ALARP status has been assessed, to justify continued operation pending long-term risk reduction. It is also being used to justify continued operation where ALARP status hasn't even been assessed ("we've plans to do the ALARP assessment in the future so under "temporal ALARP", pending that assessment, our risk of continued operation is ALARP"). Arrrrghhhh!
Haddon-Cave supports some kind of "temporal ALARP" principle (as do I) and, as JFZ90 suggests and Rigga confirms, similar ideas are enshrined in, e.g., civil aviation. But such civil aviation ideas are much more closely bounded to address the three flaws above.