BOI into the 2012 Tornado Collision over the Moray Firth
Thread Starter
Join Date: Mar 2007
Location: Bristol Temple Meads
Posts: 869
Likes: 0
Received 0 Likes
on
0 Posts
An Employers responsibility to an Employee on H&S grounds, which is what I think your quote from Lord N referred to (given the "safe system of work" section), is based on a principle of ALARP.
Safe means more than ALARP, it means Tolerable and ALARP (you can not have Intolerable and ALARP). According to the MAA RA the Duty Holder is required to justify his Tolerable and ALARP statement in a court of law, in the event of an accident. Let's not forget that this so called "safe system" resulted in the death of three people and the loss of two aircraft.
DV
safe does not equal zero deaths.
Well I don't AP, when he also says:-
It could indeed be safe with the death of 3 people
Join Date: Nov 2011
Location: West Sussex
Posts: 87
Likes: 0
Received 0 Likes
on
0 Posts
Tolerable and ALARP
I work as a safety engineer in the UK rail sector. Although the rail sector has its own standards (national and European), all of these are subservient to the law of the land, i.e. the Health and Safety at Work Act.
It's a long time since I worked for the MoD in any capacity, and my service predates the MAA and a lot of the new thinking surrounding safety of military aircraft, so please forgive me if I make any erroneous statements or assumptions about the manner in which the law applies to military aircraft in the 21st Century.
The ALARP principle (or SFAIRP - So Far As Is Reasonably Practicable in HASAW terms) is quite simple to apply in theory. All risks must be reduced to a level that is tolerable (what is meant by "tolerable" must be defined in the responsible organisation's Safety Management System) and furthermore must also be reduced to a level that is As Low As Reasonably Practicable. At this stage, as has been pointed out, cost comes into the equation.
Basically, what has to be done is this. For each risk, once it has been mitigated down into the "tolerable" region, further mitigation measures should be sought, and MUST be implemented UNLESS it can be shown that the cost of doing so is grossly disproportionate to the safety benefit to be realised through implementation of this mitigation.
In the UK rail industry, grossly disproportionate is generally taken to mean more than three times the safety benefit, measured in terms of equivalent fatalities. The VPF (Value of Preventing a Fatality) is around £1.7m, more if we are talking about multiple deaths (due to public aversion to this sort of accident).
So, if your identified safety measure will cost £3m to implement, but will save at least £1m in equivalent fatalities, then it must be implemented in order to justify ALARP.
Of course, it's never this easy in practice, as the true cost and value is always open to argument and horse trading. And we don't expect, with any complex system, to ever achieve zero fatalities. The word "safe" actually means "acceptably unsafe", although no-one will ever use that phrase in a safety case...
It's a long time since I worked for the MoD in any capacity, and my service predates the MAA and a lot of the new thinking surrounding safety of military aircraft, so please forgive me if I make any erroneous statements or assumptions about the manner in which the law applies to military aircraft in the 21st Century.
The ALARP principle (or SFAIRP - So Far As Is Reasonably Practicable in HASAW terms) is quite simple to apply in theory. All risks must be reduced to a level that is tolerable (what is meant by "tolerable" must be defined in the responsible organisation's Safety Management System) and furthermore must also be reduced to a level that is As Low As Reasonably Practicable. At this stage, as has been pointed out, cost comes into the equation.
Basically, what has to be done is this. For each risk, once it has been mitigated down into the "tolerable" region, further mitigation measures should be sought, and MUST be implemented UNLESS it can be shown that the cost of doing so is grossly disproportionate to the safety benefit to be realised through implementation of this mitigation.
In the UK rail industry, grossly disproportionate is generally taken to mean more than three times the safety benefit, measured in terms of equivalent fatalities. The VPF (Value of Preventing a Fatality) is around £1.7m, more if we are talking about multiple deaths (due to public aversion to this sort of accident).
So, if your identified safety measure will cost £3m to implement, but will save at least £1m in equivalent fatalities, then it must be implemented in order to justify ALARP.
Of course, it's never this easy in practice, as the true cost and value is always open to argument and horse trading. And we don't expect, with any complex system, to ever achieve zero fatalities. The word "safe" actually means "acceptably unsafe", although no-one will ever use that phrase in a safety case...
But if the cost of putting into place a mod is £50 million, and would only save 5 lives, then it can be considered too much and set aside under an ALARP principle.
Join Date: Nov 2011
Location: West Sussex
Posts: 87
Likes: 0
Received 0 Likes
on
0 Posts
VPF
Well, I don't know what the figure is that the MoD uses for VPF, but on those figures, in the rail industry, the £50m mitigation would not be implemented, and the current solution would be deemed ALARP (always assuming that the risk without mitigation was not intolerable).
Elephant in room...... MoD 2 & 4 Stars, successive Mins(AF) and Head of Civil Service (e.g. Sir Jeremy Heywood only last October) have trumped the ALARP and VPF principles by formally ruling such systems need not be functionally safe. They may be fitted, but they don't have to work. MAA are aware and are party to these rulings, two senior RAF officers having been named therein. Privately, I know they don't agree, but must do as they're told or resign. The trouble with the MAA being under the MoD thumb.
First things first. Sort that one out.
PeregrineW - good post. The figure in MoD used to be about £4M but is now the £1.7M you quote.
First things first. Sort that one out.
PeregrineW - good post. The figure in MoD used to be about £4M but is now the £1.7M you quote.
Join Date: Nov 2011
Location: West Sussex
Posts: 87
Likes: 0
Received 0 Likes
on
0 Posts
Back in my Boscombe Down days, we were pushing to have all software on which the safety of the aircraft depended subjected to static code analysis (proof of software correctness). We had some success with this on the C130J project, but were told that the upgraded Harrier HUD didn't need to be developed in this manner as the HUD wasn't the "primary source of speed, attitude, and altitude information" for the pilot. Instead, he was supposed to refer to the basic air/gyro operated instruments, which were mostly obscured by his knees and certainly not directly in his line of sight.
In those days, Their Airships used to make it up as they went along, and it seems times haven't changed much!
In those days, Their Airships used to make it up as they went along, and it seems times haven't changed much!
PeregrineW
Your words will be ringing bells with those old hands familiar with the Mull of Kintyre case. Here is an extract from the main submission to Lord Philip's review, which he accepted. It seeks to establish that MoD lied about Boscombe and Static Code Analysis, and MoD were less than amused that the actual policy author came forward to confirm MoD lied.
Extract.... (sorry, formatting may be odd) (Discussing MoD's claims....)
Boscombe Down Tasking
It is therefore wrong to say;
“Boscombe Down wished to verify the software in the FADEC system using their preferred method known as Static Code Analysis.”
It is irrelevant what Boscombe “wished” to do; the responsibility to reconcile the FADEC specification, contract terms and conditions, Trials, Evaluation and Acceptance Plan, Boscombe Down tasking and their ability to carry out that tasking lay entirely with MoD. It failed in this duty.
The following is also wrong.
“The Department chose to terminate the EDS-SCICON contract at this point because the requirement for Static Code Analysis was an internal Boscombe Down policy, not supported by Defence Standards.”
Clearly, the requirement to conduct SCA was enshrined in MoD policy, which (obviously) sits above Defence Standards in the standards hierarchy. In fact, the policy specifically warns, at Annex A, A8.2 (Standards), that RTCA DO 178A and Def Stan 00-31 are less than rigorous as they do not include SCA. RTCA DO 178A was the standard against which FADEC was developed. Such a specific warning in the policy should have raised alarm.
(and a little later...........)
Summary
DUS(DP)’s policy invokes Static Code Analysis. Subsequently, Def Stan 00-55 confirmed and detailed two basic approaches to safety critical software:
· The use of formal methods (correct by design), and,
· The static analysis of the code (conformance with the design)
The nature of FADEC software required (in the words of DUS(DP)’s policy) “sophisticated mathematical proving”. SCA is such a methodology and, to this end, Boscombe Down was provided with MALPAS and SPADE.
Your words will be ringing bells with those old hands familiar with the Mull of Kintyre case. Here is an extract from the main submission to Lord Philip's review, which he accepted. It seeks to establish that MoD lied about Boscombe and Static Code Analysis, and MoD were less than amused that the actual policy author came forward to confirm MoD lied.
Extract.... (sorry, formatting may be odd) (Discussing MoD's claims....)
Boscombe Down Tasking
It is therefore wrong to say;
“Boscombe Down wished to verify the software in the FADEC system using their preferred method known as Static Code Analysis.”
It is irrelevant what Boscombe “wished” to do; the responsibility to reconcile the FADEC specification, contract terms and conditions, Trials, Evaluation and Acceptance Plan, Boscombe Down tasking and their ability to carry out that tasking lay entirely with MoD. It failed in this duty.
The following is also wrong.
“The Department chose to terminate the EDS-SCICON contract at this point because the requirement for Static Code Analysis was an internal Boscombe Down policy, not supported by Defence Standards.”
Clearly, the requirement to conduct SCA was enshrined in MoD policy, which (obviously) sits above Defence Standards in the standards hierarchy. In fact, the policy specifically warns, at Annex A, A8.2 (Standards), that RTCA DO 178A and Def Stan 00-31 are less than rigorous as they do not include SCA. RTCA DO 178A was the standard against which FADEC was developed. Such a specific warning in the policy should have raised alarm.
(and a little later...........)
Summary
DUS(DP)’s policy invokes Static Code Analysis. Subsequently, Def Stan 00-55 confirmed and detailed two basic approaches to safety critical software:
· The use of formal methods (correct by design), and,
· The static analysis of the code (conformance with the design)
The nature of FADEC software required (in the words of DUS(DP)’s policy) “sophisticated mathematical proving”. SCA is such a methodology and, to this end, Boscombe Down was provided with MALPAS and SPADE.
Thread Starter
Join Date: Mar 2007
Location: Bristol Temple Meads
Posts: 869
Likes: 0
Received 0 Likes
on
0 Posts
A CBA report, prepared during 2011 by DSTL for the implementation of CWS on Tornado GR4 aircraft, came up with an overall cost of £7 million for each life lost. This includes all training cost. The report also recommended that a Gross Dispropotion Factor (GDF)of 9.9 be used, where, according to HSE guidelines, 10 is at the Tolerable/Intolerable boundary and 1.0 at the Tolerable/Broadly Acceptable boundary. So you can see how expensive the 2012 collision was; £210 million. Not ALARP.
In his Tolerable and ALARP statement of 11th Sept 2011 AVM Atha used an overall cost figure of £4 million and a GPF of 1.0. He also concluded that, based on historical data, that there would be one fatality over the next 25.8 years, which equated to 0.15 fatalities before the OSD. He came up with an disproportionate cost of just £0.6 million and declared the risk as being ALARP
That is why AVM Atha must explain the justification for his statement in a court of law, as per MAA regulations.
DV
In his Tolerable and ALARP statement of 11th Sept 2011 AVM Atha used an overall cost figure of £4 million and a GPF of 1.0. He also concluded that, based on historical data, that there would be one fatality over the next 25.8 years, which equated to 0.15 fatalities before the OSD. He came up with an disproportionate cost of just £0.6 million and declared the risk as being ALARP
That is why AVM Atha must explain the justification for his statement in a court of law, as per MAA regulations.
DV
If we're expected to believe that marginal gains in safety justify the investment of £70m per life saved, then the safety system will eventually eat itself through poor behaviours as people desperately try to preserve capability. Can you imagine the fuss if it turned out an equivalent amount was being invested in life-extending drugs by the NHS?
Join Date: Nov 2012
Location: UK East Anglia
Age: 66
Posts: 678
Likes: 0
Received 0 Likes
on
0 Posts
Did those involved in 230 not frig the numbers to make it look better than it actually was.
Easy, reading between the lines I don't think people are that interested in preserving capability. The reason I say this is that a good number of my ex colleagues have moved away from jobs developing capabilities to positions of monitoring with "safety and airworthiness" in their job titles in order to retain their jobs.
Easy, reading between the lines I don't think people are that interested in preserving capability. The reason I say this is that a good number of my ex colleagues have moved away from jobs developing capabilities to positions of monitoring with "safety and airworthiness" in their job titles in order to retain their jobs.
ES:-
False analogy. The equivalent fuss would be that millions had been cut from life extending drugs development, but that they had been signed off as fully developed and life extending anyway, and then prescribed by the NHS with resulting needless deaths and massive costs down the line.
What goes around comes around, and it is all around us at the present. As tuc says, unless and until the elephant in the room is acknowledged by the MAA and dealt with accordingly there are going to be more needless deaths, more added costs, and an ever greater debilitating effect on capability.
MRA? You ain't seen nothing yet, this nettle needs grasping by what remains of the Royal Air Force and well before it gets that telegram from HMQ!
Can you imagine the fuss if it turned out an equivalent amount was being invested in life-extending drugs by the NHS?
What goes around comes around, and it is all around us at the present. As tuc says, unless and until the elephant in the room is acknowledged by the MAA and dealt with accordingly there are going to be more needless deaths, more added costs, and an ever greater debilitating effect on capability.
MRA? You ain't seen nothing yet, this nettle needs grasping by what remains of the Royal Air Force and well before it gets that telegram from HMQ!
Thread Starter
Join Date: Mar 2007
Location: Bristol Temple Meads
Posts: 869
Likes: 0
Received 0 Likes
on
0 Posts
ES I am not sure how you arrived at,
An investment of around £56 million for fleet embodiment could have saved the lives of three people, valued at £210 million; hardly a marginal gain.
DV
If we're expected to believe that marginal gains in safety justify the investment of £70m per life saved
DV
I think we all appreciate there isn't, and can't be, a one size fits all policy. That is one of the main reasons why certain key staffs are required to exercise engineering judgement. I happen to agree with this policy. What I don't agree with is the practice whereby staffs with no engineering background whatsoever are permitted to self delegate and overrule properly formulated decisions, or make engineering decisions that are manifestly unsafe.
The other key aspect is if you study the accidents we discuss here, Chinook ZD576, Nimrod XV230, Hercules XV179, Tornado ZG710 and so on, in all cases simply following the regulations would in all probability have prevented the accident (by eliminating events and factors that led to cause) and that in most cases this would have been cheaper and quicker. None of these aircraft satisfied the design and airworthiness regulations (which are all about safety).
As an example, one time I was faced with such an overrule, on an IFF system, the project office responsible flatly refused to integrate Mode 4 failure warnings (the same primary factor that caused ZG710 to be shot down). This saved them the princely sum of SFA. All they had to do was refuse to pay up and the contractor would have had to do his job properly, which would have taken less time as they actually had to amend the design pack to ensure it was non-compliant!! Aircrew on detachment to Boscombe Down pleaded for the regs to be implemented and were ignored. When the aircraft was delivered to me (to conduct a mid life upgrade) it cost me £4M to do this work - and of course that doesn't count the modification work on the Fleet and the impact on Operational Effectiveness. As the money had already been spent (on nothing) the rules (quite rightly) said I could not be given any more, so as well as time and money being lost, some capability had to be sliced out of the aircraft spec. Both Director General Air Systems 2 (the Nimrod MRA4 and Chinook HC Mk3 2 Star) and the Chief of Defence Procurement specifically ruled all this was acceptable, and that the IFF project office had been correct to knowingly pay for, accept and deliver a functionally unsafe aircraft (which is to commit fraud). And the RN could swivel if they didn't like it. And swivel they did. And the RAF did nothing, despite a recommendation that they check their own IFF failure warning integration, hence ZG710 was unsafe on 22.3.03.
As ever, the MAA are aware and support these decisions.
The herd of elephants I talk about!
The other key aspect is if you study the accidents we discuss here, Chinook ZD576, Nimrod XV230, Hercules XV179, Tornado ZG710 and so on, in all cases simply following the regulations would in all probability have prevented the accident (by eliminating events and factors that led to cause) and that in most cases this would have been cheaper and quicker. None of these aircraft satisfied the design and airworthiness regulations (which are all about safety).
As an example, one time I was faced with such an overrule, on an IFF system, the project office responsible flatly refused to integrate Mode 4 failure warnings (the same primary factor that caused ZG710 to be shot down). This saved them the princely sum of SFA. All they had to do was refuse to pay up and the contractor would have had to do his job properly, which would have taken less time as they actually had to amend the design pack to ensure it was non-compliant!! Aircrew on detachment to Boscombe Down pleaded for the regs to be implemented and were ignored. When the aircraft was delivered to me (to conduct a mid life upgrade) it cost me £4M to do this work - and of course that doesn't count the modification work on the Fleet and the impact on Operational Effectiveness. As the money had already been spent (on nothing) the rules (quite rightly) said I could not be given any more, so as well as time and money being lost, some capability had to be sliced out of the aircraft spec. Both Director General Air Systems 2 (the Nimrod MRA4 and Chinook HC Mk3 2 Star) and the Chief of Defence Procurement specifically ruled all this was acceptable, and that the IFF project office had been correct to knowingly pay for, accept and deliver a functionally unsafe aircraft (which is to commit fraud). And the RN could swivel if they didn't like it. And swivel they did. And the RAF did nothing, despite a recommendation that they check their own IFF failure warning integration, hence ZG710 was unsafe on 22.3.03.
As ever, the MAA are aware and support these decisions.
The herd of elephants I talk about!
dragartist
You are quite right there. I know that in the RN the posts with "management" in their description (for example, what are called Requirements Managers nowadays) were changed to "monitoring" in 1988; as a result of the Hallifax Savings. The RAF formally followed a few years later, but in practice had already changed. RqM defaulted to MoD(PE), so it was a matter of sheer luck if the project manager had the necessary background. I detested those prats who said "Yes, I've monitored the situation, and know the aircraft is unsafe", and walked away.
In April 2003 MoD briefed PUS (the Chief Accounting Officer) that there was only one employee in DPA or DLO (now, broadly, DE&S but with many functions removed) who thought it correct to implement "safety and airworthiness" or financial probity regulations. That claim has a been repeated many times since by various Mins(AF). Clearly, it is wrong (although a few who believe it correct post here!), but it is another elephant that must be removed before the MAA can make any progress.
The frightening thing is, when signing such balls successive Ministers and Heads of the CS don't say "WHAT?!" and demand an explanation. And MoD has very senior staffs who actually think it clever to admit this to Ministers. Both lack the mental capacity to associate their policy with scores of avoidable deaths.
jobs developing capabilities to positions of monitoring with "safety and airworthiness" in their job titles in order to retain their jobs.
In April 2003 MoD briefed PUS (the Chief Accounting Officer) that there was only one employee in DPA or DLO (now, broadly, DE&S but with many functions removed) who thought it correct to implement "safety and airworthiness" or financial probity regulations. That claim has a been repeated many times since by various Mins(AF). Clearly, it is wrong (although a few who believe it correct post here!), but it is another elephant that must be removed before the MAA can make any progress.
The frightening thing is, when signing such balls successive Ministers and Heads of the CS don't say "WHAT?!" and demand an explanation. And MoD has very senior staffs who actually think it clever to admit this to Ministers. Both lack the mental capacity to associate their policy with scores of avoidable deaths.
The news is getting some coverage up here but from what I read on pprune this new excuse that the MAA investigation is sufficient doesn't stand up and is at odds with what the Procurator Fiscal and Crown Office have been saying.