JFZ90:
I agree with your point that "tolerably safe" should be defined [in Qinetiq reports about the Nimrod] if it is to be used in any meaningful way. The same of course applies to using the term ALARP.
The term "ALARP" is well-defined already. See POSMS, Def Stan 00-56, etc. There is no need for Qinetiq (QQ) reports of the kind under discussion to define ALARP since there is an authoratative definition in place already.
Having claimed more than once that "tolerably safe" isn't defined anywhere (unlike "ALARP"), Haddon-Cave told me it once was. It's in BP 1201, Issue 2 (September 2002):
A safety case is to be maintained throughout the life of the equipment in order to continue to provide the justification that the equipment remains tolerably safe (targets achieved and ALARP demonstrated)
(The term "tolerably safe" was gone by Issue 3, Sep 2005 - I don't know if it was ever in Issue 1.) What interests me about this is that the clear intent of BP 1201, Issue 2 is that you should only claim something is "tolerably safe" if you've demonstrated the associated risks are ALARP. This is not how the term came to be used by the half-dozen or so air IPTs that I've had exposure to and it doesn't appear to be how QQ use it in the report JFZ90 discusses. They all use(d) the term "tolerably safe" to mean that the associated risks were "tolerable" (but not necessarily ALARP).
JFZ90 goes on to debate what the QQ report in question was trying to say about safety. I can't remember what the report says or was trying to say about safety so I can't comment particularly authoritatively. But when JFZ90 writes:
it is not necessarily the case that QQ in writing the report have access to the costs involved in mitigating risks - for this reason alone it is unclear on what basis they were making an ALARP assessment
You don't necessarily need "access to the costs involved in mitigating risks" to determine that those risks are not ALARP. It is generally held (i.e., it's HSE guidance) that risks can not be ALARP unless relevant good practice is followed (e.g. relevant design or process standards encapsulating good practice). My very hazy recollection is that the QQ report in question made some recommendations that would be very much considered relevant good practice.
JFZ 90 again:
Squidlord Risks can be "tolerable" but not ALARP
Willing to be be proved wrong, but I think it is you, not HC, who has this wrong. Give us an example of such a risk? It doesn't make sense.
I think I can do that by appeal to definitions. But I have to admit the situation is murkier than I thought before JFZ90 made me look at it in more detail. The basic problem is that we are stuck with a stupid set of terms for safety engineering (this is not the MoD's fault necessarily - it's a much wider problem than that). Basically, within safety engineering, there are relatively well-defined terms like "tolerable" and "unacceptable" that, very unfortunately, have meanings that are quite distinct from their generic dictionary definitions. The problems flow when the safety engineering terms are mixed with generic English usage.
There are two primary definitions of "tolerable" relevant to MoD safety. First , POSMS:
A level of risk that may be tolerated when it has been demonstrated that the risk is ALARP and is not unacceptable.
Secondly Def Stan 00-56:
A level of risk between broadly acceptable and unacceptable that may be tolerated when it has been demonstrated to be ALARP.
The precise right one for the QQ report depends on the context of the report. But you can see the definitions are very similar (and neither is particularly well-worded). Crucially, both admit that a risk can be tolerable but not ALARP (despite HC, para 11.322). And if you read 00-56 and POSMS in any detail, it is clear from the use of the terms "tolerable" and "ALARP" that it is possible for risks to be tolerable but not ALARP.
It's an unfortunate situation because the generic meaning of "tolerable" is not that similar to the safety engineering meaning of the word (as captured in the definitions above). Risks can be "tolerable", in the safety engineering sense, but "intolerable" or "unacceptable", in the generic English sense (i.e., when those risks are not ALARP). A better term for the safety engineering specific use would be "potentially tolerable".
In para 11.322 of his report, HC quotes BP 1201:
Tolerable - The residual risk is tolerable only if further risk reduction is impracticable or requires action that is grossly disproportionate in time, trouble and effort to the reduction in risk achieved.
This definition is at odds with the definitions in 00-56and POSMS. If MoD can't even get it right in their own standards and regulation (POSMS also abuses terminology and much too freely mixes the safety engineering and generic English uses of terms like "tolerable" and "unacceptable"), what chance have the rest of us! And it's no wonder that HC appears confused in para 11.322 when he states:
There is no such thing as ‘tolerably safe but not ALARP’. Risks are either ‘tolerable and ALARP’ or intolerable
I don't know whether HC is:
1. genuinely confused.
2. is using "tolerable" in the safety engineering sense, and "intolerable" in the generic English sense (which is not the same as "not tolerable" in the safety engineering sense).
raedwald:
There are 3 levels of tolerability: intolerable, tolerable and broadly acceptable.
In MoD safety circles, "intolerable" is usually referred to as "unacceptable". The definition of "unacceptable" from POSMS (& 00-56):
A level of risk that is tolerated only under exceptional circumstances.
It's unfortunate that the term "unacceptable" is used in this way since it means there are risks that are "unacceptable" in the generic sense that are not "unacceptable" in the safety-engineering specific sense (i.e., risks that are tolerable but not ALARP). Again, a clash between safety engineering English and generic English!
Distant Voice:
In his report [Haddon-Cave] stressed the point that the "R" in ALARP has a temporal element, and criticize the Coroner for calling for the grounding of the Nimrod, because in his opinion "a reasonable time is allowed" to mitigate identified risks.
[...]
Now, having read Lord Cullen's findings, and the Health and Safety guidelines, I believe that "time" in [the context of the judge's (not Cullen's!) summation of Edwards v The National Coal Board] means downtime (lost time) of the plant or equipment and its associated costs and trouble. It does not mean, as Group Capt. Hickman (inquest witness) and the QC claim that "we have got time to reduce the risk to ALARP".
I agree with Distant Voice's analysis of the two different sorts of "time" above and I think it is plausible that Haddon-Cave (HC) mixed them up in his report.
But I maintain that "we have got time to reduce the risk to ALARP [while still operating]" can be a valid claim (though not necessarily for the reasons HC advances). I.e., it is possible to:
1. identify that a risk is not ALARP in the long-term,
2. identify a "reasonably practicable" risk reduction that is necessary to reduce the risk ALARP in the long term, that will take a lengthy time to implement,
3. continue operating pending implementation of the risk reduction
4. claim that the risk of operation in that interim period is ALARP.
See the end of my post #96 in this thread. Specifically:
You must show that the risk of operation pending implementation of risk reduction is ALARP. It might seem obvious that you can't do this. After all, that is why you are implementing the long-term risk reduction. But this ignores the exposure aspect of ALARP. In essence, the longer your exposure to a risk, the less likely it is to be ALARP (because that risk is more likely to precipitate an accident(s)). So it is possible, in principle, to demonstrate that the risk of operation pending implementation of the long-term risk reduction is ALARP.
The crucial thing, to me, is that you must do an ALARP assessment of the risk in question pending implementation of the long-term risk reduction. This will tell you whether you can continue to operate or not.
Having said the above, I agree with raedwald:
since everyone has their own ideas I don't think that there is a right and wrong - the only way you find our is if a Judge decides that your argument is not reasonable, I guess!
(except it will be a jury, not a judge).
A few people are being highly critical of the HC report. Yes, it does contain significant errors and it's a shame its scope is limited. But, imo and depending on MoD response, it could still be a force for significant improvement in safety. In that light, the criticisms are relatively minor, in my opinion.