LOGIN   |   LOGOUT   |   REGISTER

Home » Resources » Complex safety systems

Complex safety systems

There is a believe that large organisations with complex safety systems will be inherently safe. However, unfortunately, this is not necessarily true.  The Royal Air Force Nimrod fleet demonstrated this.

The Nimrod MR1/MR2 commenced operations in the RAF in 1969. The aircraft had many roles in its life; a maritime surveillance aircraft; an electronic intelligence gathering; a dedicated airborne early warning platform; Search Air Rescue; a battlefield ground intelligence monitoring and coordinated response platform.

For the 1982 Falklands War, it was hastily retro-fitted with air-air refueling capability. Whilst not intended for permanent use, this capability became the norm after the war.

For the first 25 years, in its primary role of maritime surveillance, it had an impeccable safety record. The Nimrod was highly operationally committed from 1990 in the theaters of Kuwait, Africa, Kosovo, Iraq and Afghanistan. In September 2006, after conducting air-air refueling, a Nimrod suffered an in-flight fire and crashed near Kandahar in Afghanistan.  The cause of the fire was determined to be a fuel leak onto hot pipes.

Although considered a crash caused purely by a mechanical failure, a long and detailed enquiry conducted by Justice Haddon-Cave unveiled a series of much larger organisational failures.

nimrod
afghanastan

Click here for NASA Safety Case regarding the Nimrod failure

The following three videos are parts 1,2 and 3 from BBC Panorama which explain the circumstances of the crash and the larger issue of maintaining an ageing fleet of complex aircraft.

The following video is an address to The Piper 25 Convention (a UK off-shore Oil and Gas convention on the 25th anniversary of the Piper Alpha disaster) where Justice Haddon Cave discusses the larger organisational and cultural contributions to the accident.

Summation of Justice Haddon-Cave address

There were seven significant contributing factors to the accident:

  1. Complexity of the MoD safety system.  The complexity and ‘devotion to change’ resulted in a safety system that was meaningless to the person at the coal face.
  2. Dilution of responsibility and accountability.  This resulted from the every increasing complexity of the safety system, and the abdication to third party contractors.
  3. Management by committee and consensus.  There were too many committees, sub-committees and stretching of the safety management line.
  4. Lack of Challenge.  There was an attitude of conformity without questioning. Telling managers what they wanted to hear was more important than reality.
  5. Migration of decision making was being removed from those most knowledgeable and with the most information.  This was especially true in budget and business decisions.
  6. Triumph of Generalist over Specialist.  There was too little appreciation for, and consultation with personnel with experience, in favour of ‘Soft-Handed-MBAs’.
  7. Paper Safety. There was an over-reliance of colour diagrams and PowerPoint presentations rather than examination of people, process and culture.

The lessons learnt from the Nimrod accident were many and far reaching. Justice Haddon-Cave summarised the recommendations as follows:

  1. It was more important to look for the underlying organisational causes for the accident rather than at personnel associated with it, particularly the ‘coal-face’ people such as pilots, engineers or supervisors.
  2. Beware assumptions.  Just because the aircraft had flown reliably and safety for 25 years, had a complex safety system build around it, and that the maintenance was outsourced to the manufacturer: there was an assumption of ‘what could possibly go wrong?
  3. The need to avoid change for change sake.  Change was so expected with the Nimrod fleet that most personnel had moved through ‘Change Fatigue’ and into ‘Numbness to Change’.  The very fact that change creates risk appears to have been forgotten.
  4. Avoid the ‘comfort blanket’ of complexity, compliance and consensus. Because the safety system was complex, this lead to the assumption it must be safe. The reliance on compliance lead to dealing with only process, not problems. Consensus was sought for safety issues rather than asking the awkward questions that might affect operational capability.
  5. Do not outsource thinking – remain an intelligent customer. Outsourcing may produce many economic benefits but it also produces many perils. There is an overriding need to retain in-house experience and knowledge.  Outsourcing can be corrosive to in-house memory and there needs to very clear SLAs to allocate the responsibility and management of risk.
  6. Risk Management Plans need to be used as an aid and not an end solution. There needs to be an understanding of Real, not Paper Safety. Too often compliance cases were viewed as Real Safety.  RMPs should follow the SHAPED acronym; Succinct, Homegrown, Accessible, Proportionate, Easy to understand and Document light.
  7. Age matters. Extending life does not work without planning and management program. It is possible to maintain older fleets very effectively, but not without the right care, resources and attention to detail.

Justice Haddon-Cave concluded by quoting Franklin D Roosevelt in saying’ ‘Rules are not sacred, principles are‘. He added it was not possible to live by this unless:

  • Leadership – were fully committed to safety and lead by example
  • Independence – was maintained in keeping safety separate from operations
  • People – were recognised as key, not just process and paper
  • Simplicity – was employed in safety; use the KISS principle.

The Nimrod fleet was retired in 2011. The decision had been made to upgrade the aircraft, however, successive governments and contractors saw the cost, complexity and time for the replacement aircraft go beyond tolerance. The development of the replacement aircraft (MRA4) was abandoned in 2010.