The folly of ‘paper safety’ – lessons from the Nimrod review

On 2nd September 2006, RAF Nimrod XV230 was on a routine mission over Helmand Province in Southern Afghanistan when, only minutes after completing air-to-air refuelling, she suffered a catastrophic mid-air fire which led to the total loss of the aircraft and the death of all 14 on board. Following the initial investigation by the Board of Inquiry which reported on the probable cause of the accident, a broader independent review was instigated in late 2007.

The Nimrod review, led by Charles Haddon-Cave QC, conducted a wide ranging inquiry over some 20 months. It studied many thousands of documents dating from the 1930s to the present day, interviewed hundreds of witnesses of all ranks and in all relevant organisations, and visited numerous locations [Ref 1].

The review concluded that the most likely cause of the accident was an inadvertent fuel overflow from number one tank during air to- air refuelling, which ignited on contact with a hot pipe. The review further concluded that design flaws introduced in 1969, 1979 and 1989 all played a crucial part in the loss of XV230. Also, there had been a number of previous incidents and warning signs potentially relevant to XV230, which should have served as a “wake up call”.

A LAMENTABLE JOB

According to the review, the Nimrod Safety Case, which took 4 years to produce after the introduction of new regulations in 2002, was a “lamentable job from start to finish” and missed the key dangers. The “best opportunity to prevent the accident to XV230 was, tragically, lost”.

The Nimrod Safety Case process was “fatally undermined by a general malaise” – a widespread assumption by those involved that the Nimrod was ‘safe anyway’ because it had successfully flown for 30 years -and the task of drawing up the Safety Case became a paperwork and ‘tick box’ exercise. The safety case “was virtually worthless as a safety tool”.

The review concludes that the safety case regime in the military environment has led to a culture of ‘paper safety’ at the expense of real safety. It currently does not represent value for money. The shortcomings of a significant proportion of safety cases are extensive [see Box 1].

The purpose of any safety case regime is to encourage people to think as actively as they can to reduce risks [Ref 2]. But, in some instances, the review suggests that safety cases seem to be achieving the opposite effect: “giving people a false sense of security that a safety case is some sort of paper ‘vault’ into which risks may be safely deposited and forgotten about”.

LESSONS LEARNED

The Nimrod review points out that while lessons to be learned from the loss of XV230 are profound and wide-ranging, many of the lessons are not new. The organisational causes echo other major accidents, such as the loss of the space shuttles Challenger and Columbia, and the Piper Alpha disaster and BP Texas City explosion.

The review makes recommendations in eight key areas to improve safety and air worthiness for the future, including a new approach to safety cases. In particular, recommendations are made for best practice for safety cases, which should be brought in-house, and made more focused, proportionate, and relevant.

The review also recommends renaming safety cases ‘Risk Cases’ to focus attention on the fact that they are about managing risk, not assuming safety. A simple definition of a Risk Case is a “reasonable confirmation that risks are managed to ALARP levels”. It is further proposed that Risk Cases should be ‘SHAPED’ against six principles: Succinct, Home-grown, Accessible, Proportionate, Easy to understand and Document-lite.

CONCLUSIONS

The language of the Nimrod review is direct, its criticisms unsparing. In particular, it is outspoken about the military safety case culture of ‘paper safety’ and recommends a host of solutions.

The military safety case regime is relatively new having only been introduced in 2002. Other high-hazard industries with a longer history of safety cases have similarly wrestled with implementing best practices (for example, see Ref 3). The Nimrod review is a timely reminder that safety cases are worthless unless safety is embedded in engineering and operations.

References

1. The Nimrod Review, Charles Haddon-Cave QC, 28th October 2009.
2. Ladbroke Grove Rail Inquiry Part 2 Report, 2001.
3. Ten Good Practices for Oil & Gas Safety Cases, RISKworld, Autumn

This article first appeared in RISKworld Issue 17.