The Nimrod Review - Official Documents

More documents

Recommendations

Info

17.33.2 17.33.3 Chapter 17 – Columbia and Other Lessons “Years of workforce reductions and outsourcing have culled from NASA’s workforce the layers of experience and hands on systems safety that once provided a capacity for oversight. Safety and Mission assurance personnel have been eliminated, careers in safety have lost organisational prestige and the program now decides on its own how much safety and engineering oversight it needs.” 31 “NASA’s culture of bureaucratic accountability emphasised chain of command, procedure, following the rules, and going by the book. While rules and procedures were essential for co-ordination, they had an unintended but negative effect. Allegiance to hierarchy and procedure had replaced deference to NASA’s engineers’ technical expertise”. 32 CAIB’s conclusions on organisational problems at NASA 17.34 The CAIB’s conclusions on the deep-seated organisational problems that it found in NASA included the following thoughts: 17.34.1 Leaders create culture. It is their responsibility to change it. Top administrators must take responsibility for risk, failure, and safety by remaining alert to the effects their efforts have on the system. Leaders are responsible for establishing the conditions that lead to their subordinates’ successes or failure. The past decisions of national leaders, the White House, Congress, and NASA headquarters, set the Columbia accident in motion by creating resource and schedule strains that compromised the principles of a high-risk technology organisation. NASA’s success became measured by cost reduction and whether the schedule was met. 17.34.2 Changes in organisational structure should be made only with careful consideration of their effect on the system and their possible unintended consequences. Changes that make an organisation more complex may create new ways that it can fail. When changes are put in place the risk of error initially increases as old ways of doing things compete with new. Institutional memory is lost as personnel and records are moved and replaced. Changing the structure of organisations is complicated by external budgetary and political constraints, the inability of leaders to conceive the full ramifications of their actions, and the failure to learn from the past. Nonetheless, change must be made. NASA’s blind spot was that it believed it had a strong safety culture. Programme history shows that the loss of a truly independent, robust capability to protect the system’s fundamental requirements and specifications inevitably compromised those requirements, and therefore increased risk. 17.34.3 Strategies must increase the clarity, strength and presence of signals that challenge assumptions about risk. Twice in NASA’s history the agency embarked down a slippery slope that resulted in catastrophe. Each decision taken by itself seemed correct, routine and indeed insignificant and unremarkable, yet their effect was stunning. A safety team must have equal and independent representation so that managers are not again lulled into complacency by shifting definitions of risk. It is worth acknowledging that people who are marginal and not in positions of power may have useful information that they do not express. Even when such people are encouraged to speak, they find it intimidating to contradict a leader’s strategy or a group consensus. 17.34.4 Responsibility and authority for decisions involving technical requirements and safety should rest with an independent technical authority. The CAIB said there were lessons to be learned from other organisations that had been accident-free, including e.g. the US Navy Submarine and Reactor Safety programs: 33 “Organisations that successfully operate high risk technology have a major characteristic in common: they place a premium on safety and reliability by structuring their programs so that technical and safety engineering organisations own the process of determining, maintaining and waiving technical requirements with a voice that is equal to yet independent of Program managers 31 CAIB Report, page 181. 32 CAIB Report, page 200. 33 CAIB Report, page 182. 453
The Nimrod Review 454 who are governed by cost, schedule and mission accomplishment goals”. 34 The CAIB recommended the establishment of an independent Technical Engineering Authority which would be responsible for technical requirements and all waivers of them. It would build a disciplined, systematic approach to identifying, analysing and controlling hazards throughout the life cycle of the shuttle system. As a minimum, the authority would: develop and maintain technical standards; be the sole waivergranting authority; conduct trend and risk analysis at the sub-system and enterprise level; own the effective analysis and hazard reporting systems; conduct integrated hazard analysis; decide what is and is not an anomalous event; and independently verify launch readiness, approve rectifications set out in CAIB’s report. This technical authority was to have no connection to, or responsibility for, schedule or programme costs. Other observations following the CAIB 17.35 The following observations following the CAIB report are also valuable: 17.35.1 By Brigadier General Duane Deal: “If reliability and safety are preached as “organizational bumper stickers”, but leaders constantly emphasize keeping on schedule and saving money, workers will soon realize what is deemed important and change accordingly. Such was the case with the shuttle program.” 35 17.35.2 By Diane Vaughan: “Although all mishaps, mistakes, and accidents cannot be prevented, both of NASA’s accidents had long incubation periods, thus they were preventable. By addressing the social causes of gradual slides and repeating negative patterns, organisations can reduce the probability that these kinds of harmful outcomes will occur. To do so, connecting strategies to correct organisational problems with their organization system causes is crucial.” 36 The Herald of Free Enterprise (1987) 17.36 In his report into the Zebrugge Disaster, in which a passenger/car ferry The Herald of Free Enterprise sank off Zebrugge on 6 March 1987 because the bow door had been left open, Sir Barry Sheen acknowledged the shipboard (or ‘active’) errors of the Master, the Chief Officer, and the Assistant Bosun, but said that the underlying or ‘cardinal’ faults lay higher up in the company. Sir Barry Sheen had the following observations about the part played by Townsend Thorensen’s management in the catastrophe, in which 193 passengers and crew died: 37 “At first the faults which led to this disaster were the aforesaid errors of omission on the part of the Master, the Chief Officer and the assistant bosun, and also the failure by Captain Kirk to issue and enforce clear orders. But a full investigation into the circumstances of the disaster leads inexorably to the conclusion that the underlying or cardinal faults lay higher up in the company. The Board of Directors did not appreciate their responsibility for the safe management of their ships. They did not apply their mind to the question: What orders should be given to the safety of our ships? The directors did not have any proper comprehension of what their duties were. There appears to have been a lack of thought about the way in which the HERALD ought to have been organized for the Dover/ Zeebrugge run. All concerned in management, from members of the Board of Directors down to the junior superintendants, were guilty of fault in that all must be regarded as sharing responsibility for the failure of management. From the top to bottom the body corporate was infected with the disease of sloppiness.” The failure on the part of the shore management to give proper and clear directions was a contributory cause of the disaster. 38 34 CAIB Report, page 184. 35 See Brig Gen Duane W. Deal, USAF, Member of CAIB Board, ASPI article ‘Beyond the Widget’. 36 See Diane Vaughan’s article “System Effects: On Slippery Slopes, repeating Negative Patterns, and Learning from Mistake” in “Organization at the Limit: NASA and the Columbia Disaster”, William Starbuck and Moshe Farjourn eds. Blackwell, 2005.) 37 Formal Investigation in the m.v. Herald of Free Enterprise (Report of the Court No. 8074) (1987) into the Zeebrugge Disaster on 6 March 1987 (Mr. Justice Sheen sitting with Assessors). 38
Page 1 and 2:
THE NIMROD REVIEW An independent re
Page 3 and 4:
© Crown Copyright 2009 The text in
Page 5 and 6:
THE LOSS OF RAF NIMROD XV230 A FAIL
Page 7 and 8:
XV230
Page 9 and 10:
2 The Nimrod Review Section Two: Re
Page 11 and 12:
Chapter 1 - Introduction and Summar
Page 13 and 14:
The Nimrod Review Offices and Team
Page 15 and 16:
Executive Summary Introduction Loss
Page 17 and 18:
Chapter 1 - Introduction and Summar
Page 19 and 20:
Coroner’s Inquest Chapter 1 - Int
Page 21 and 22:
Chapter 2 - History of the Nimrod A
Page 23 and 24:
2.8 2.9 Chapter 2 - History of the
Page 25 and 26:
Nimrod 2000/MRA4 2.23 2.24 Chapter
Page 27 and 28:
2.37 Chapter 2 - History of the Nim
Page 29 and 30:
2.45 2.46 Chapter 2 - History of th
Page 31 and 32:
CHAPTER 3 - THE BOARD OF INQUIRY RE
Page 33 and 34:
Chapter 3 - The Board of Inquiry Re
Page 35 and 36:
Chapter 3 - The Board of Inquiry Re
Page 37 and 38:
3.22 Chapter 3 - The Board of Inqui
Page 39 and 40:
PART II: PHYSICAL CAUSES
Page 41 and 42:
The Nimrod Review 36 (2) The escape
Page 43 and 44:
The Nimrod Review 38 because Nimrod
Page 45 and 46:
The Nimrod Review 40 7. The Cross-F
Page 47 and 48:
The Nimrod Review 42 Addition of SC
Page 49 and 50:
The Nimrod Review 44 No. 7 Tank Dry
Page 51 and 52:
The Nimrod Review 46 4.17 4.18 Tria
Page 53 and 54:
The Nimrod Review 48 4.24 Figure 4.
Page 55 and 56:
The Nimrod Review 50 Shrouds 4.32 b
Page 57 and 58:
The Nimrod Review 52 4.36 This conf
Page 59 and 60:
The Nimrod Review 54 4.42 Gaps 4.43
Page 61 and 62:
The Nimrod Review 56 (3) Inadequate
Page 63 and 64:
The Nimrod Review 58 (1) Breach of
Page 65 and 66:
The Nimrod Review 60 4.64 4.65 4.66
Page 67 and 68:
The Nimrod Review 62 4.72 4.73 haza
Page 69 and 70:
The Nimrod Review 64
Page 71 and 72:
The Nimrod Review 66 Prevailing App
Page 73 and 74:
The Nimrod Review 68 18. Targeted f
Page 75 and 76:
The Nimrod Review 70 Figure 5.3: Ni
Page 77 and 78:
The Nimrod Review 72 Description of
Page 79 and 80:
The Nimrod Review 74 Figure 5.8: Fu
Page 81 and 82:
The Nimrod Review 76 5.17 determine
Page 83 and 84:
The Nimrod Review 78 5.27 to have b
Page 85 and 86:
The Nimrod Review 80 of one second,
Page 87 and 88:
The Nimrod Review 82 Maintenance re
Page 89 and 90:
The Nimrod Review 84 Ignition/Leak
Page 91 and 92:
The Nimrod Review 86 Fuselage Leaks
Page 93 and 94:
The Nimrod Review 88 would generate
Page 95 and 96:
The Nimrod Review 90 5.75 5.76 5.77
Page 97 and 98:
The Nimrod Review 92 The Manufactur
Page 99 and 100:
The Nimrod Review 94 The Procuremen
Page 101 and 102:
The Nimrod Review 96 Contractual ch
Page 103 and 104:
The Nimrod Review 98 5.111 Comment
Page 105 and 106:
The Nimrod Review 5.123 5.124 5.125
Page 107 and 108:
The Nimrod Review 5.134 102 The ave
Page 109 and 110:
The Nimrod Review 5.145 5.146 104 T
Page 111 and 112:
Page 113 and 114:
The Nimrod Review 108 6. I have con
Page 115 and 116:
The Nimrod Review 6.6 110 this inta
Page 117 and 118:
The Nimrod Review Analysis 6.19 112
Page 119 and 120:
The Nimrod Review 6.28 114 limitati
Page 121 and 122:
The Nimrod Review 6.40 116 Impingem
Page 123 and 124:
The Nimrod Review 6.44 6.45 118 The
Page 125 and 126:
The Nimrod Review Gap between fairi
Page 127 and 128:
The Nimrod Review 6.60 6.61 6.62 6.
Page 129 and 130:
The Nimrod Review 6.72 Cognisant of
Page 131 and 132:
The Nimrod Review 6.83 126 on its o
Page 133 and 134:
The Nimrod Review 6.96 128 I have c
Page 135 and 136:
The Nimrod Review Causation general
Page 137 and 138:
The Nimrod Review 6.113 132 of fuel
Page 139 and 140:
The Nimrod Review 134 Causation 9.
Page 141 and 142:
The Nimrod Review 7.10 136 Followin
Page 143 and 144:
The Nimrod Review 7.20 138 When XV2
Page 145 and 146:
Page 147 and 148:
The Nimrod Review 7.39 142 combinat
Page 149 and 150:
The Nimrod Review 7.47 Causation 14
Page 151 and 152:
The Nimrod Review 7.53 Dealing with
Page 153 and 154:
The Nimrod Review 7.67 Conclusion 1
Page 155 and 156:
The Nimrod Review Introduction 8.1
Page 157 and 158:
Page 159 and 160:
The Nimrod Review 8.23 154 Again, e
Page 161 and 162:
The Nimrod Review 156 or destructio
Page 163 and 164:
The Nimrod Review 8.44 158 It is no
Page 165 and 166:
PART III: NIMROD SAFETY CASE Introd
Page 167 and 168:
CHAPTER 9 - BACKGROUND TO SAFETY CA
Page 169 and 170:
9.7 9.8 Chapter 9 - Background to S
Page 171 and 172:
Guiding Principles of Lord Cullen
Page 173 and 174:
9.22 9.23 Chapter 9 - Background to
Page 175 and 176:
Military Regulation of Safety Cases
Page 177 and 178:
Page 179 and 180:
9.44 Chapter 9 - Background to Safe
Page 181 and 182:
9.52 9.53 9.54 Chapter 9 - Backgrou
Page 183 and 184:
Page 185 and 186:
White Booklet 9.67 Chapter 9 - Back
Page 187 and 188:
Philosophy of the SMP 9.72 9.73 Cha
Page 189 and 190:
The Safety Committees and Hazard Ma
Page 191 and 192:
Chapter 9 - Background to Safety Ca
Page 193 and 194:
CHAPTER 10A - NIMROD SAFETY CASE: T
Page 195 and 196:
Chapter 10A - Nimrod Safety Case: T
Page 197 and 198:
Chronology - three phases 10A.8 Cha
Page 199 and 200:
10A.19 Chapter 10A - Nimrod Safety
Page 201 and 202:
Page 203 and 204:
10A.39 10A.40 Chapter 10A - Nimrod
Page 205 and 206:
Page 207 and 208:
Worksheets 10A.60 10A.61 10A.62 Cha
Page 209 and 210:
10A.66 10A.67 10A.68 10A.69 Chapter
Page 211 and 212:
DCP 0221.jpg DCP 0312.jpg Chapter 1
Page 213 and 214:
8 May 2003: Third PSWG Meeting 10A.
Page 215 and 216:
Page 217 and 218:
Page 219 and 220:
1 March 2004: BAE Systems strategy
Page 221 and 222:
Initial ‘pro-forma’ template to
Page 223 and 224:
Page 225 and 226:
June 2004: slow progress on zonals
Page 227 and 228:
Page 229 and 230:
Fire & Explosion Report completed C
Page 231 and 232:
10A.172 10A.173 10A.174 Chapter 10A
Page 233 and 234:
Page 235 and 236:
Switch in strategy for meeting Chap
Page 237 and 238:
Page 239 and 240:
Page 241 and 242:
Page 243 and 244:
Chapter 10B - Nimrod Safety Case: T
Page 245 and 246:
Page 247 and 248:
10B.15 10B.16 Chapter 10B - Nimrod
Page 249 and 250:
Page 251 and 252:
10B.31 Bronze Award 10B.32 Chapter
Page 253 and 254:
10B.42 Chapter 10B - Nimrod Safety
Page 255 and 256:
Page 257 and 258:
Page 259 and 260:
10B.67 10B.68 Chapter 10B - Nimrod
Page 261 and 262:
10B.75 10B.76 “Change 17 Mar 2005
Page 263 and 264:
Chapter 11 - Nimrod Safety Case: An
Page 265 and 266:
Criticism of individuals Chapter 11
Page 267 and 268:
Introduction Background - Chapters
Page 269 and 270:
Page 271 and 272:
Page 273 and 274:
(2) BAE Systems failed to carry out
Page 275 and 276:
Page 277 and 278:
Sketchy details and inadequate phot
Page 279 and 280:
Delays resulted 11.51 Chapter 11 -
Page 281 and 282:
11.61 Chapter 11 - Nimrod Safety Ca
Page 283 and 284:
Primary sentencing source was MRA4
Page 285 and 286:
Purpose of meeting 11.77 Dilemma 11
Page 287 and 288:
11.85 11.86 Chapter 11 - Nimrod Saf
Page 289 and 290:
Ethics 11.95 Causation 11.96 Chapte
Page 291 and 292:
Page 293 and 294:
Page 295 and 296:
Page 297 and 298:
Review’s audit of the Pro-Formas
Page 299 and 300:
(3) Erroneous or poor mitigation an
Page 301 and 302:
Page 303 and 304:
‘Zone 7.23’ Chapter 11 - Nimrod
Page 305 and 306:
(3) Leaving the NSC task incomplete
Page 307 and 308:
Page 309 and 310:
Page 311 and 312:
Detailed analysis and criticisms of
Page 313 and 314:
Joint working group never set up Ch
Page 315 and 316:
Page 317 and 318:
Page 319 and 320:
George Baber’s lack of care and a
Page 321 and 322:
Page 323 and 324:
Page 325 and 326:
Page 327 and 328:
Page 329 and 330:
(8) QinetiQ was too compliant and e
Page 331 and 332:
Failure to ask intelligent question
Page 333 and 334:
Page 335 and 336:
Page 337 and 338:
Page 339 and 340:
Page 341 and 342:
PART IV: ORGANISATIONAL CAUSES
Page 343 and 344:
Page 345 and 346:
The Nimrod Review 342 6.2 1994-1999
Page 347 and 348:
The Nimrod Review 344 Figure 12.2:
Page 349 and 350:
The Nimrod Review 12.9 IPTs 346
Page 351 and 352:
The Nimrod Review ‘Partnering’
Page 353 and 354:
The Nimrod Review 2007: formation o
Page 355 and 356:
Page 357 and 358:
Page 359 and 360:
The Nimrod Review 356 ‘change’
Page 361 and 362:
The Nimrod Review 358 (2) Demise of
Page 363 and 364:
The Nimrod Review 13.4 13.5 13.6 13
Page 365 and 366:
The Nimrod Review 13.14 362 In my v
Page 367 and 368:
The Nimrod Review 13.23 De-layering
Page 369 and 370:
The Nimrod Review McKinsey recommen
Page 371 and 372:
The Nimrod Review 13.44 ‘CUTS’
Page 373 and 374:
The Nimrod Review 13.54 370 13.53.1
Page 375 and 376:
The Nimrod Review 372 or organisati
Page 377 and 378:
The Nimrod Review ‘Reduction in o
Page 379 and 380:
The Nimrod Review 13.83 376 lines (
Page 381 and 382:
The Nimrod Review (2) Increased ope
Page 383 and 384:
The Nimrod Review Realpolitik 13.10
Page 385 and 386:
The Nimrod Review DLO Business Plan
Page 387 and 388:
The Nimrod Review Chief Engineer RA
Page 389 and 390:
The Nimrod Review 13.126 AD(Eng)Pol
Page 391 and 392:
The Nimrod Review 388 D Tech AD(Eng
Page 393 and 394:
The Nimrod Review Conclusion on MOD
Page 395 and 396:
The Nimrod Review 13.148 392 apex,
Page 397 and 398:
The Nimrod Review 13.158 394 (4) Fe
Page 399 and 400:
The Nimrod Review 13.169 396 with A
Page 401 and 402:
The Nimrod Review Evidence of Nimro
Page 403 and 404: The Nimrod Review 13.188 13.189 Con
Page 405 and 406: The Nimrod Review 402 5. The immedi
Page 407 and 408: The Nimrod Review 2003: ISD ‘slip
Page 409 and 410: The Nimrod Review 14.16 14.17 406 F
Page 411 and 412: The Nimrod Review 14.25 408 forces
Page 413 and 414: The Nimrod Review Conclusion 14.30
Page 415 and 416: PART V: AFTERMATH Introduction to P
Page 417 and 418: Chapter 15 - BOI Recommendations an
Page 419 and 420: 15.8 Chapter 15 - BOI Recommendatio
Page 421 and 422: Fuel Seal Replacement Programme 15.
Page 425 and 426: The Process 15.32 15.33 Chapter 15
Page 427 and 428: The Cost 15.44 15.45 Chapter 15 - B
Page 431 and 432: Appendix A to Chapter 15 AIRCRAFT:
Page 433 and 434: Serial Recommendations Status Numbe
Page 441 and 442: CHAPTER 16 - INQUEST Contents Chapt
Page 443 and 444: Chapter 16 - Inquest 16.4.2 Second,
Page 445 and 446: PART VI: LESSONS AND RECOMMENDATION
Page 447 and 448: The Nimrod Review 446 (7) A new Pro
Page 449 and 450: The Nimrod Review NASA Space Shuttl
Page 451 and 452: The Nimrod Review (2) ‘Torrent of
Page 453: The Nimrod Review (10) ‘Normalisa
Page 457 and 458: The Nimrod Review 456 17.39.3 “It
Page 459 and 460: The Nimrod Review 458
Page 461 and 462: The Nimrod Review Introduction 18.1
Page 463 and 464: The Nimrod Review 462 The three yea
Page 465 and 466: The Nimrod Review 18.19 18.20 18.21
Page 467 and 468: The Nimrod Review 466 ‘Bow Tie’
Page 469 and 470: The Nimrod Review The ‘organisati
Page 471 and 472: The Nimrod Review 18.38 470 1 Accid
Page 473 and 474: The Nimrod Review Current position
Page 475 and 476: The Nimrod Review (6) There is a bi
Page 477 and 478: The Nimrod Review 476 by the IPT an
Page 479 and 480: The Nimrod Review 478 trails’ rat
Page 481 and 482: The Nimrod Review 480 Meeting / Wor
Page 483 and 484: The Nimrod Review 482 operational t
Page 485 and 486: The Nimrod Review 484 19.34.16 ”A
Page 487 and 488: The Nimrod Review 486
Page 489 and 490: The Nimrod Review Four Key Principl
Page 491 and 492: The Nimrod Review 20.12 20.13 490 1
Page 493 and 494: The Nimrod Review 20.24 20.25 492 S
Page 495 and 496: The Nimrod Review 494 (8) Mandatory
Page 497 and 498: The Nimrod Review 496 I. Clarificat
Page 499 and 500: The Nimrod Review 498 issues person
Page 501 and 502: The Nimrod Review 500 Recommendatio
Page 503 and 504: The Nimrod Review 502 Head of the M
Page 505 and 506:
The Nimrod Review 504 Defence Airs
Page 507 and 508:
The Nimrod Review 506 those who are
Page 509 and 510:
The Nimrod Review 21.37 Paragraph 6
Page 511 and 512:
MAA The Nimrod Review Head of the M
Page 513 and 514:
The Nimrod Review 512 will also mai
Page 515 and 516:
The Nimrod Review 21.59 21.60 Objec
Page 517 and 518:
Page 519 and 520:
The Nimrod Review 21.80 21.81 Objec
Page 521 and 522:
The Nimrod Review 520 Recommendatio
Page 523 and 524:
The Nimrod Review Recommendations E
Page 525 and 526:
The Nimrod Review 21.110 524 The BO
Page 527 and 528:
The Nimrod Review 21.119 526 in a p
Page 529 and 530:
The Nimrod Review 21.129 21.130 Obj
Page 531 and 532:
The Nimrod Review 530 provide overs
Page 533 and 534:
The Nimrod Review 21.152 532 nd I w
Page 535 and 536:
Page 537 and 538:
The Nimrod Review 22.12 Third, Safe
Page 539 and 540:
The Nimrod Review 538 22.16.1 First
Page 541 and 542:
The Nimrod Review Genesis of Safety
Page 543 and 544:
Page 545 and 546:
The Nimrod Review Six Principles fo
Page 547 and 548:
The Nimrod Review 546 (2) Common se
Page 549 and 550:
Page 551 and 552:
Page 553 and 554:
The Nimrod Review Life Extension Pr
Page 555 and 556:
The Nimrod Review 554 not represent
Page 557 and 558:
The Nimrod Review 23.35 556 I consu
Page 559 and 560:
The Nimrod Review Lesson Learned -
Page 561 and 562:
Page 563 and 564:
The Nimrod Review 24.12 562 nor per
Page 565 and 566:
Page 567 and 568:
The Nimrod Review Conclusions 25.16
Page 569 and 570:
Page 571 and 572:
Page 573 and 574:
The Nimrod Review Professor Reason
Page 575 and 576:
The Nimrod Review Safety Managers 2
Page 577 and 578:
The Nimrod Review The critical role
Page 579 and 580:
Page 581 and 582:
The Nimrod Review 29.6 XV230 29.7 5
Page 583 and 584:
The Nimrod Review FI Fatigue Index
Page 585 and 586:
Page 587:
ACKNOWLEDGEMENTS Acknowledgements A
show all

The Nimrod Review - Official Documents

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?