nigegilb

SPH, I know some of those mentioned, well at least one to my knowledge, is regarded as a good guy. Problem is, for far too long MoD culture has gotten away with decision making that has resulted in loss of life. In recent years it has been relatively low risk regarding the possibility of being accounted for. H-C has blown that wide open. As I stated before, his devastating critique has given prosecution lawyers something of a slam dunk case. My sympathy for the individuals is limited. They knew they were playing musical chairs, the music stopped and they happen to be in the firing line. They are also alive, which is more that can be said for the 14 crewmen sent to their deaths.

I welcome the idea of court cases. You touched on the fact that they might sing like canaries when the pressure is on and the very real possibility of a stretch inside is staring them in the face. We need the full story. Certainly one very senior person probably couldn't believe his luck when he didn't get a mention by H-C. I suspect the reluctance of some of those mentioned to fully cooperate/recall will change when they are placed in the dock.

Perhaps someone else can help me out? The recently announced QQ inquiry. Will it be published? Or will the results be covered up?

Tappers Dad

This may help or confuse the situation :

The ALARP (As Low As Reasonably Practicable) principle provides a means for assessing the tolerability of risk. In essence, it says that if the cost of reducing a risk outweighs the benefit, then the risk may be considered tolerable.

Ergo.a risk is ALARP if the cost of any reduction in that risk is grossly disproportionate to the benefit obtained from the reduction.

However if the risk to the aircraft is explosion or fire, then the benefit of reducing the risk is great. It follows that the cost of reducing the risk would have to be very high in order to say it was tolerable.

This is where I think the term tolerably safe stems from, I didn't see anywhere either in the BOI or Safety Case where the cost of reducing a risk was discussed or assessed.

I believe therefore that the XV230 was neither 'tolerably safe' nor ALARP as the risk in Dry Bay 7 was never assessed correctly and the mitigation put forward was erroneous.

To use a simple analogy, if the brakes need doing on your car because they won't stop the car, the risk to those on board is high and the cost is £300 say they have to be fixed to make it ALARP.
If there is danger to life or limb then even if the cost was £3000 it would not outweigh the risk. It can only be tolerable if the car is never driven or moved.

HSE guidance is that risks should be reduced unless the cost is “grossly disproportionate” to the benefit.

What cost would be “grossly disproportionate” to save the lives of 14 men and one Nimrod Mk2?

Having read most of Haddon-Caves report it is clear that certain companies wished to appear in a good light in order to 'please' the customer. This may explain the apparent anomaly between the first and second version.

Chapter 19 of thee HC review says:
(3) The meaning of “Airworthiness” is not sufficiently understood;
(4) The meaning of ALARP is not sufficiently understood;

Which says it all really.

He went on to say.
(10) QinetiQ failed to understand the meaning of ALARP

11.320 In my view, it is also a matter of concern that leading experts such as QinetiQ do not seem to understand basic concepts such as the meaning of ALARP (As Low As Reasonably Practicable).

11.321 The Executive Summary to QinetiQ’s Nimrod Fuel System Safety Review Report (QINETIQ/EMEA/IX/ SCR0702915,
October 2007, Issue 1) stated:
“Having considered the evidence referred to within this safety case report, noting that there are outstanding recommendations and the level of risk present to the fuel system is not ALARP, the operation of the fuel system is tolerably safe given the mitigation currently in place.” (emphasis added)

11.322 This report sowed much confusion. There is no such thing as ‘tolerably safe but not ALARP’. Risks are either ‘tolerable and ALARP’ or intolerable:

SirPeterHardingsLovechild

I would expect people involved in Airworthiness to have a definition of it framed on the office wall, but I'm a picture framer.

I think you are now barking up the wrong tree, this stage of your battle has been won. (Congratulations, Sir, and good luck for the future)


These guys knew exacly what they were doing. They fudged the issue and will now be held to account.

Why did they do it?

We already know the answer.

JFZ90

I could be mistaken, but I think there still remains much confusion over ALARP.

My opinion is as follows:

When HC talks about no such thing as "tolerably safe but not ALARP" he mentions the fact that the time aspect of the R has been misunderstood. This is consistent with many comments at the time made on here, e.g. in relation to TWA800.

My theory (only guessing here but seems to me the best fit):

It has been suggested that the original QinetiQ report did not mention tolerably safe and only said it was not (yet) ALARP. They probably stated this on the basis that the you could spend relatively little money to address some further residual safety risk (i.e. replacing seals). The report did not make it clear however that from a risk perspective it was reasonable to take x months to conduct this further risk reduction and continue flying - i.e. they thought it was tolerably safe. Hence it was flawed to state that it wasn't ALARP - it should have stated it was tolerably safe but a timely seal replacement programme should be implemented to address residual risk. This would be more consistent with established procedure - i.e. similar to post TWA800 Airworthiness directives where airlines were given years to rectify safety risks over a "reasonable" timeframe (hence this was ALARP decision making).

Hence, if the IPT asked for "tolerably safe" to be included* (i.e. properly reflected) then they were in fact just trying to get QinetiQ to write their report properly. It appears that they didn't do this right as when they added "tolerably safe" they didn't properly use the word ALARP or put it in the right context which has created no end of problems and misunderstandings.

I seem to recall Mick Smith used the QQ report wording of ALARP to imply SofS had lied to the house many months ago - looking now at the likelihood that the report should have said "tolerably safe" and not mentioned "not ALARP" (which was false as stated by HC), it can be seen that he wasn't actually lying. It can be seen however why the HC report criticises QQ for not understanding the term, and he mentions how this has created much confusion (I suspect this is a direct reference to Micks article).

PS I am not defending MoD here (I found HC gripping and alarming in equal measure) - just trying to put what is in my opinion the correct interpretation on the ALARP issue.


*don't know if this is true, just assuming that the accusation that they did is true for a minute which I know is dangerous!

nigegilb

If Nimrod [safety risk] is ALARP why is it (largely) grounded?

PPRuNeUser0139

Nige,
Your PM inbox overfloweth.. Just emailed you.
sv

Mick Smith

Mick Smith didn't. He quoted Angus Robertson as saying Browne misled the house, and explained the evidence for this which hasn't changed as far as I'm concerned.

JFZ90

Mick, I see your point, but my main memory was just the headline:

but to quote your own blog....

...you are making the case that there is something misleading going on by quoting specifically the QQ report "tolerably safe but not ALARP". Now that HC has now said that this phrase and therefore the wording of the report is contradictory and misleading, it follows that any argument based on them is potentially invalid. He also raises how the temporal aspects of ALARP were not correctly understood / ignored (and even stated as irrelevant by some).

The HC report has shed useful light on what the QQ report should have said. That is what has changed.

If you accept for a moment that the report should have said "the system is tolerably safe" and not erroneously mentioned ALARP - then surely you can see how the whole "its not ALARP, ground them" red herring would not have started - and the coroner could have been spared some blushes!

Like I said, I'm not defending MoD here - just safety engineering practice and logic which I fear is taking a real hammering here and clouding the real issues!

Mick Smith

I can see where you're coming from JFZ90 BUT the nub of the report concerned the 30 issues that had to be sorted to make it ALARP. QQ was originally saying it was "tolerable but not ALARP", so the 30 problems had to be eradicated to make it ALARP, (although I accept that there were a few that were no longer relevant because of the ban on air-to-air refuelling.)

QQ was then persuaded to make it read 'tolerably safe', one suspects because it as easier to play down the importance of a critical report. So on that basis I stick by that quote from my blog.

I'm not playing down QQ's blame here, or imagining some conspiracy theory in which H-C somehow used them as a patsy for the IPTL - which could scarcely be the case! - only saying that the situation was more nuanced than it appears in the black and white of H-C's report, and that the QQ review, since it will focus on the QQ side of things, and question the person responsible for agreeing the change in a more protected atmosphere, is therefore likely to elicit greater detail, and is bound to get to the bottom of what actually happened there.

On the headline, the quotes around the misled means it is someone alleging it, not absoluted hammered down fact. I absolutely concede it is itself misleading but I don't make the rules on headlines - or even write the headlines - and with all its flaws, that usage is an industry standard. I suspect it is pretty much the best that can be done with the space the headline writers get.

I certainly would not accuse a minister of lying over something like this because he just gets the advice from civil servants and service officers and while he may well question it, will be easily reassured that it is correct, whatever the facts. This is actually, incidentally given the thread we are on, even more of the case with ministers' responses on the Sea King issue.

Not that I have much sympathy with the ministers here. It has to be said that they created the situation in which bad news - often arising from their own decisions on budgets - was unwelcome however unavoidable and therefore have some responsibility for the way in which the civil servants and service officers advising them seem increasingly to act more like courtiers reassuring an emperor than professionals making professional decisions and telling the minister the way it is.

nigegilb

I understand it has so far cost 30 million to rectify the scp and fuel pipes/seals.

JFZ90

I understood that the ALARP consideration gave the nimrod fleet until date X to rectifiy the seals. It looks like a decision was taken not to take the operational impact of doing all the seals by this date (i.e. you'd have to tie up so many airframes in depth / out of the flypro that it would impact ops). This was probably on the basis it still gave time to get a mitigating op capability in place. Once this was decided, it was clear that once the date was reached the ac that hadn't had the work done would be grounded until they were fixed.

In any other circumstances an extension to the timeframe may have been considered/granted on the basis of risk, but I suspect this was not sought on the basis of political grounds (i.e. whilst potentially OK from an engineering risk perspective, it might look "bad" from a presentational perspective to be extending the deadline - given the fact that there is still media confusion over ALARP anyway, I think its true that there would have been an media uproar if they had tried to do that).

Not sure what your point is - either the cost is so high a judgement could have been made to say it was ALARP anyway without doing the seals? Per ac it seems to me a lower ££ than the cost of losing a crew, even though it seems the contribution of the seal issue to such a event seems very very low (given any ac design must cope with fuel leaks in any case). Is your cost correct just for seals, or mixed up with routine servicing?

Or is the seal issue much more of an issue that I'm led to believe above?

nigegilb

Maybe I misunderstand something now. How could Nimrod be ALARP with a time line? Surely it is either ALARP or it isn't? I remember a conversation with someone involved at the time. He was keen to tell me that the new standard was being allegedly described by Vsenior officers as ALARP plus. IE the aircraft ALREADY met the requirements for ALARP, nut once the peripheral work was completed the aircraft surpassed the requirements for ALARP.

I suspect the political involvement became obvious at this stage. Furthermore, your argument about seals and the fact that all aircraft suffer fuel leaks was dealt with by H-C, he was unimpressed.

Surprised you are still using the same line.


Regards,

Nige

JFZ90

HC makes reference to how the temporal (time) aspect of R (i.e. reasonable) in ALARP is widely misunderstood (but highlights how QinetiQ should know better). I.e. it is reasonable for it to take time to embody safety design changes, depending on the residual risk. TWA800 is a case in point where airworthiness directives gave Airlines years to modify their aircraft - on the basis that to ground all the worlds airliners until they were all modified was unreasonable in proportion to the risk. Obviously if the residual risk is such that another loss is not remote, then you do ground the fleet (e.g. Buccaneer - 1980 - most of the fleet 6 months on ground).

Doing all you can to avoid leaks is the design aim - but from an engineering perspective you can't make the probability of a fuel leak so remote that you don't have to mitigate (i.e. design) against their occurance. You can't be sure an aircraft won't leak - but you need to be confident as you can be that such a single failure won't cause the loss of the aircraft. HC does comment (p66) that this is a common philosophy across civil and mil. His main criticism is that he feels that (perhaps due to this this philosophy) there had been complacency in the management of fuel leak trends etc. - i.e. more could have been done to understand & reduce fuel leak risks. I wouldn't dispute this. I don't think he says you can eliminate fuel leaks altogether.

nigegilb

Fair answer, I have 747 experience, we adopted procedures approved by Boeing to reduce the chance of a CWT pump issue whilst the aircraft were modded, true enough.

I am just curious about ALARP Plus. I don't hear it used anymore, funny that!

Rigga

JFZ90 - Spot-On!

There is no leakproof or defect-proof system - only more leak resistant or more reliable systems.

Modifications come out all the time, due to the findings/reports of analysts and end-users, and each Airline vets whether the Mod is suitable or not for them - unless it is mandated.

Even before the Mandatory Mods are published, plans are (or should be) made, by the mandating authority and the OEM, to ensure the right parts are available for the affected fleets and the dates to comply with mandated mods are also mandated because they KNOW the availability of said parts. The risks in NOT embodying the Mods may involve the grounding of the fleets.

Some Mandated Mods are subjected to fleet planning and implementation times that may, in some way, risk an incident that is considered acceptable during that implementation time.

I (rather naively, I suppose) assume these risk values are very similar to those published in the CAA/ICAO SMS risk value charts and are, I suspect, "your" ALARP Plus items - on their way to being ALARP.

However; should I assume MOD would not be using CAA/ICAO values?

Squidlord

Tapper's Dad:

Replace "tolerability" by "acceptability", and "tolerable" by "acceptable" in the above and it would be more correct. "Tolerability" and, especially, "tolerable" are loaded words with specific meanings in the context of risk assessment so it would be more correct to use "acceptable" and "acceptability" (with generic meanings).

(Substitute "acceptable" for "tolerable" again.) This ignores the probability component of risk. If the probability of explosion or fire is very small then the risk is also small and so the cost of risk reduction would not need to be so high to sustain a claim that the risk was ALARP and *acceptable*.

So when Tapper's Dad writes,

the answer depends on what associated probability is. If it could be shown that this probability was *correctly* assessed as being very very low, then the answer would be not much money at all. I.e., the risk could have been correctly considered ALARP. I emphasise the word "correctly" because, of course, this was the fundamental failing of the Nimrod risk assessment prior to the disaster. They very badly (negligently in my opinion, and that of Haddon-Cave, I think) underestimated the risk.

I doubt it very much. (JFZ90 and Mick Smith as well,) see my post #46 in this thread.

I don't know/can't remember whether Nimrod IPT even assessed the ALARP status of the risks associated with the XV230 disaster. But the fundamental point was that they completely mis-assessed that risk. ALARP determination is secondary to risk estimation. If you severely underestimate the risk, as Nimrod IPT did, whether or not you do an ALARP assessment (correctly) tends to be irrelevant.

As you say ...

(Best not to use the term "tolerably safe".) Possibly the risk of operating XV230 was "tolerable" (in the specific meaning of that word in the risk assessment context). But this is not enough. It needs to be tolerable and ALARP. It was certainly never demonstrated ALARP (correctly) and it seems extremely unlikely that it was ALARP.

Tapper's Dad quotes Haddon-Cave

I agree entirely. I could write an essay on the term "airworthy" (personally, I would like to see the term scrapped because it is so ill-defined - we should just use the term "safe" instead). I have written essays on the meaning of "ALARP". It's a contentious principle for determining the acceptability of risk and, in my opinion, one of the best reasons for dumping it is its complexity and difficulty.

Having said all that, Haddon-Cave betrays a possible lack of understanding himself:

I don't think this is true. Risks can be "tolerable" but not ALARP. The language of risk assessment ("tolerable", "broadly acceptable", etc.) is unfortunately pretty badly put together but we are stuck with it now (like "airworthiness"?). So it doesn't surprise me that Haddon-Cave doesn't seem to have quite got it right (or his understanding of ALARP and Safety Cases) but it does suggest to me that it would have been better had he retained someone who could authoratatively advise him on risk and safety technical issues, e.g. Professor John McDermid (who is acknowledged in the report but didn't actually fulfill that role) or a senior HSE person.




SirPeterHardingsLovechild:

In my experience, most people involved in MoD safety don't actually know what the MoD definition of "safe" is. Ok, you might say, they could always look it up if they needed it. But they don't! I have seen so many MoD Safety Cases and safety assessments and the majority (yes - the majority!) use the wrong definition of "safe". It is pitiful.

So I'm not surprised if the same people don't know the definition of "airworthiness" or "ALARP".



JFZ90:

and in a later post:

This second quote manages to get the situation completely wrong. See my post #46 in this thread. The report was absolutely not erroneous in mentioning ALARP. It was erroneous in mentioning "tolerably safe". This is precisely the point Haddon-Cave makes (and I agree completely with the first two paras of Mick Smith's post #89). Firstly, the term "tolerably safe" should not be used without definition (and preferably not at all). Further, you do not write a report "properly" by using ill-defined terminology and it is definitely not the case that "they were in fact just trying to get QinetiQ to write their report properly". If the inclusion of the words was at the behest of the Nimrod IPT, I would be very surprised if it was anything other than an attempt to make the situation sound less bad that it was, i.e. "weasel words".

Secondly, my recollection of the QQ recommendations to address ALARP is hazy but I do recall they included some that would be considered fundamental good practice. It is generally considered (i.e., it is HSE guidance) that to demonstrate a risk is ALARP, it is necessary to apply all relevant good practice. Ergo, the non-ALARP status was nothing to do with timely implementation of risk reduction.

At the end of this post, I write more on the temporal aspects of ALARP.


JFZ90 quoted Mick Smith's blog:

This is potentially misleading as it suggests that "tolerable" risks are automatically ALARP, which is not the case. It would be correct to say, "if the risk to the aircraft is “tolerable” it must also be shown to be ALARP".

JFZ90 in another post:

Although I don't know precisely why the Nimrods are grounded, I agree with the principle of this. The ALARP principle is only one means of deciding whether a risk is acceptable (it just happens to be a necessary one).



Some more words about the temporal nature of ALARP.

Nigegilb wrote:

It is much much more complex than this. Leaving aside the fact that ALARP is a property of the risk of the way an aircraft (or other equipment) is operated, not just a property of the aircraft itself, e.g. see

http://www.pprune.org/military-aircr...ar#post4214180

there is, as Haddon-Cave alludes to, a temporal aspect to ALARP ...

Within MoD safety circles, there a is principle doing the rounds that is often referred to as "temporal ALARP", though use of this precise term is discouraged. The idea is roughly as follows. If you identify a (single) risk reduction that is necessary to reduce a risk ALARP and if that risk reduction would necessarily take some time to implement (e.g., a significant design change to a fuel system) then you may claim the risk is ALARP pending implementation of the design change as soon as practicable (and afterwards as well). There are (at least) three flaws with this.

1. You must show that the risk of operation pending implementation of risk reduction is ALARP. It might seem obvious that you can't do this. After all, that is why you are implementing the long-term risk reduction. But this ignores the exposure aspect of ALARP. In essence, the longer your exposure to a risk, the less likely it is to be ALARP (because that risk is more likely to precipitate an accident(s)). So it is possible, in principle, to demonstrate that the risk of operation pending implementation of the long-term risk reduction is ALARP. However, the "temporal ALARP" principle, as I've always seen it stated, does not require an explicit consideration of ALARP status pending risk reduction. And it is always possible to reduce that risk, e.g. by taking the equipment out of service (grounding an aircraft). There is, effectively, an assumption that the operational imperative makes removal from service impracticable but this assumption does not always hold.

2. So you decide to implement long-term risk reduction, e.g. a design change, as soon as practicable. What's to stop you from constantly delaying that design change, letting it slip to the right, etc? (not a problem with the principle itself but a problem with its application). I have seen this happening already.

3. The principle is already being abused. It was intended to be applied, where ALARP status has been assessed, to justify continued operation pending long-term risk reduction. It is also being used to justify continued operation where ALARP status hasn't even been assessed ("we've plans to do the ALARP assessment in the future so under "temporal ALARP", pending that assessment, our risk of continued operation is ALARP"). Arrrrghhhh!

Haddon-Cave supports some kind of "temporal ALARP" principle (as do I) and, as JFZ90 suggests and Rigga confirms, similar ideas are enshrined in, e.g., civil aviation. But such civil aviation ideas are much more closely bounded to address the three flaws above.

tucumseh

SPHLC


Squidlord




I am uneasy about the 3 IPT staffs being named. As SPHLC says, they knew what they were doing, fudged it, and must now stand to account. However, H-C makes much of the need for a “just” system. It is unjust to name 3 juniors (a Gp Capt is very junior in this context) yet disregard the management chain above them. Where was the management oversight and leadership? I do not think either H-C or MoD wanted to go there, because one would immediately see the links to other accidents.


Squidlord is right about the lack of understanding in MoD, and one significant reason is the above senior staffs (2 Star and above) have consistently ruled over many years that the safety and airworthiness regs can be waived. In particular, that physical safety is sufficient, functional safety can be ignored. When staffs see what happens to those who press for the regs to be implemented, is it any wonder they tend to switch off a little?

While no comfort to those who lost loved ones, at a certain level at least the Nimrod IPT understood they had to implement the regs and tried to do so; albeit incompetently. What is the greater offence; that incompetence by the Nimrod IPT, or the abrogation of duty of care by their seniors and other IPTs who don’t bother in the first place? I’ve asked that before and have written replies from two 2 Stars and a 4 Star, who state those who ignore the regs are in the right. The Nimrod IPT problem can be corrected relatively easily. The real problems lie elsewhere. I suspect MoD will be trying to fix the former while shoving the latter under a carpet. But, as someone said, the H-C report was Day 1.

Tappers Dad

I received this from the top(well near the top)

Haddon-Cave Review Implementation Team (HCRIT)
HCRIT is an independent organisation that has been directed by the Second Permanent Under-Secretary (2ndPUS) to set specific requirements on the key airworthiness organisations to ensure they deliver the required outcomes, as agreed by the Secretary of State. Thereafter, the Team will be responsible for the coherent management of the requirements and for policing the implementation across Defence against agreed outputs and timelines, with the appropriate organisations managing any changes that are called for within their respective areas of responsibility. Specifically:

a. Inform 2ndPUS and the Nimrod Review Analysis Sub Group
(NRASG) on the impact and implications of the recommendations made by the Review.
b. Produce an implementation plan for the required work to be agreed by NRASG.
c. Deliver clear understanding throughout the implementation
across all air domain stakeholders of the impact of the Haddon-Cave Review recommendations.
d. Lead and champion implementation across the air environment, negotiating as necessary the reprioritisation of activity to meet the Department's commitment to the delivery of Haddon-Cave findings.
e. Orchestrate any follow on work that is required to facilitate or understand the recommendations.
f. Provide periodic updates to 2ndPUS on progress, identifying barriers to implementation that cannot be resolved.
g. Liaise with external agencies where recommendations have
implications to both the non-air environment and agencies outside of the Ministry of Defence.


I am not sure about f. identifying barriers to implementation that cannot be resolved.But it sounds like a good start.

JFZ90

I'm not sure you're right - actually for the reasons that you outline in post #46 - i.e. I agree with your point that "tolerably safe" should be defined if it is to be used in any meaningful way. The same of course applies to using the term ALARP.

I think the view on whether my quote is correct depends on what you think the meaning/conclusion of the report should have been. Given this report was post the accident, post the steps taken to remove the ignition source etc., I believe its intention was to report on whether the fuel system within the new context was actually "safe" (or not).

Hence - you either think:

A) the report concludes that it was "not safe enough", in which case this should be reflected in the conclusion. This could make reference to risks remaining are so high that they are e.g. intolerable and require fixing before flight ops continue - this could have resulted in the fleet being grounded. The risk would have to have been quantified to substantiate such a conclusion.

or

B) the report concludes that it was "safe enough", in which case this should also be reflected in the conclusion. This would then require a conclusion that outlines that the remaining risks were defined to be tolerable. The risks would have to have been quantified to substantiate such a conclusion.

I agree the terminology can be confusing - but given that I don't believe that the Nimrod fleet was grounded following this report I can only conclude that the report message was intended to be B). In this context it was therefore misleadingly for the report to mention it was not ALARP - to do so would have ignored the temporal aspect.

Also - it is not necessarily the case that QQ in writing the report have access to the costs involved in mitigating risks - for this reason alone it is unclear on what basis they were making an ALARP assessment - is it quantified in the report? By the same token they don't quantify tolerably safe. I think the intention was to give the B) conclusion - in which case any assertion the it was tolerably safe should have been quantified and hence justified more clearly.

In either case A) or B) the risks are not quantified so it could be argued the report is fundamentally flawed in any case.

On this basis it is also true that you can't actually use the report as the basis to say some minister/RAF officer/civil servant has lied.

Willing to be be proved wrong, but I think it is you, not HC, who has this wrong. Give us an example of such a risk? It doesn't make sense.

Lyneham Lad

I have just been catching up on this thread and read the in-depth discussions re QQ and MoD failings. However, I see no mention of BAE. The last time I read comment on them, it appeared that they were covering-up par excellence (or head in the sand). Surely they and their failings should still be centre-stage?