This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
On September 2006 an RAF Nimrod XV230 on a mission over Afghanistan suffered an uncontrollable and catastrophic mid-air fire in an inaccessible part of the aircraft, which lacked fire protection. The crew had no chance of combatting the fire, leading to a break-up of the airframe only minutes before they could make and emergency landing at Kandahar Airbase. All 14 service personnel on board were tragically killed. A squadron of Royal Canadian Dragoons in the vicinity secured the area to preserve the crash scene. They were later relieved by 34 Squadron RAF Regiment, who managed to recover bodies, data recorder and images (later proving to be crucial) of the crash site. They were withdrawn by air after several hundred local nationals including members of the Taliban had converged on the area.
A board of enquiry was formed to conduct a 7 month review to determine the most probable causes to the accident. The area most likely to be the source of ignition was thought to be the high temperature Cross-Feed/Supplementary Conditioning Pack (SCP) duct located in the starboard No. 7 Tank dry bay. The source of fuel was thought to have originated from a leak in an air-to-air refueling (AAR) transaction which occurred only minutes before the fire.
Top Level Requirements
The Nimrod MR2 suffered from three fundamental design flaws, which played a major part in the loss of the aircraft. The first flaw was introduced by Hawker Siddeley with the original fitting of the Cross-Feed duct to the Nimrod MR1s and R1s in 1969. The aims of these were to distribute Auxiliary Power Unit air and engine bleed-air to the engines for ground starting. They could operate at up to 470Â°C during flight. The second flaw came when BAE Systems added an SCP to provide increased cooling for the additional equipment introduced when the MR1s where upgraded to MR2s. The final critical flaw was introduced as an emergency requirement in the Falklands War, when AAR was needed to lengthen the range of the MR2. As the refuel galley was now pressurised there was an increased chance in leaks from blow-off valves which automatically release fuel into the atmosphere to prevent over-pressurisation. This modification produced the unwanted possibility of this excess fuel igniting on the hot Cross-Feed ducts (as such was the case with XV230).
There was a perfect opportunity to prevent the accident occurring in 2002.'Safety Cases' were being introduced as a mandate for military aircraft to identify and assess potential catastrophic hazards. BAE Systems along with the Ministry of Defence (MOD) Nimrod Integrated Project Team (IPT) were tasked to draw up the safety case for the MR2. QinetiQ were employed to act as an independent safety advisor to the project. The Nimrod had successfully flown for 30 years so there was a widespread assumption that it was 'safe anyway' and therefore was merely a paperwork exercise. As a result the parties involved became complacent with work being poorly planned, managed and rushed. At the handover meeting BAE Systems gave a misleading report that all work had been completed properly when in fact 40% of hazards hadn't been mitigated and 30% were left 'unclassified'. The Nimrod IPT inappropriately delegated their proportion of the work to junior employees and failed to involve themselves adequately in BAE Systems work. QinetiQ failed to carry out its role by not checking BAE Systems' risk assessment and mitigation evidence. They also sent an employee to the final handover who was not only inadequately aware of the case, but had not read any of BAE Systems' reports.
The MOD suffered from many organizational changes, beginning with the 1998 Strategic Defence review. Larger management structures were created and many tasks were 'outsourced' to industry. There were many cuts and changes which served as a distraction from what should have been the top priority; airworthiness and safety. These alterations severely affected the Nimrod IPT in its role in the Nimrod Safety Case. The changes imposed also filtered down into the projects the MOD were heading. For instance, plans for a replacement Nimrod, the MRA4 (originally scheduled to come into service in 2000) were constantly pushed back due to changing requirements. If this new aircraft had been completed on time, XV230 would have most likely, no longer been flying at the time of the incident in 2006. In fact the number of time over-run MOD projects was at 80% and the average cost over-run was at 40%. Due to the perception of the MR2 being 'just about to go out' of service, it did not benefit from longer - term investments and spares hadn't been provided for an extended end of life period.
Methods selected to address requirements
The board of enquiry came to the conclusion that the design flaws were contrary to engineering practice and design regulations of the time. The temporary design can be excused due to the emergency situation with the Falklands War, however when the refueling capability became permanent the modification should have been addressed. The main problem with continuing to support old aircraft in a modern environment is the enormous change in standards. Designs acceptable then, would not have been acceptable today. There is a diminishing supply of original engineers and mechanics who truly know the aircraft. Difficulties with access and maintenance, along with the incorporation of modern modifications and systems, lead to poor maintenance practices which, if left unchecked by management teams can prove to be fatal. As stated above modern aircraft are built too much higher standards, however when maintaining old aircraft, the review made recommendations that proper training in Airworthiness Management is required. There is also a need for a proper system of reporting and analysis of faults and hazards identified. A single Risk Management System is also mentioned as a way to keep risk analysis and records uniform across aircraft.
The most important chance anyone had of rectifying the problems with the Nimrod was in the Safety Case. Unfortunately the review concluded that the majority of safety cases in the military were seen as paperwork exercises. They were designed to be an aid to thinking about the risks, but had become an end in themselves. As mentioned above, proper training in risk analysis techniques and a uniform risk management system are recommended. Additionally safety cases should be re-named 'Risk Cases' to refocus attention on the risk element. Safety cases should be brought 'in-house', where they can be monitored effectively, instead of being outsourced. Also there is a recommendation for an entirely new 'Safety Culture'. Safety should be paramount in employees' minds and so employees should be encouraged to readily report problems and errors they encounter. There should be an emphasis on drawing the right conclusions from safety information in order to implement any major safety reforms, as opposed to looking for ways to work around the issue. Many assumptions were made in the Nimrod Safety Review. As a counter to this, the new safety culture should support those who ask the "What if?" and "Why?" questions.
The MODs' organizational changes made in an effort to create a more managerial structure have brought about many problems. These have had a significant impact on the organisations ability to interact with other companies regarding the airworthiness of its aircraft. A major factor is the decline in its ability to act as an 'intelligent customer'. In the case of the Nimrod Safety Review, the MOD took BAE Systems and QinetiQ's word as gospel, as they had few skilled and knowledgeable employees to scrutinize their work effectively. These shortages in skill lead to the outsourcing of many technical jobs, which ultimately meant these companies had a degree of control over them, giving them the capacity to be manipulative. The review suggests a new personnel strategy is devised, in order to recapture the required level of skill and manpower to bring them 'out of the dark' in future airworthiness cases. Finally we turn to procurement. Major delays in new equipment have caused old equipment to be in service way beyond its original end of life date. With regard to the Nimrod; if delays in the MRA4 programme hadn't occurred, XV230 wouldn't have been flying in 2006. The review states that this MUST not happen again. Sorting out procurement should be of utmost importance in order to prevent an event like the crash of XV230 again. It is also recommended that Bernard Gray's report on procurement should be published immediately and adhered to. This report makes recommendations to clarify roles and accountabilities in equipment distribution and acquisition. It also suggests a Strategic Defence Review should be carried out in the first session of every new parliament to outline its requirements and objectives. A 10 year rolling budget should also be enforced to keep spending at a steady rate.
How the methods address the scenario
With the new measures mentioned above put into place, the processes of reporting and analyzing faults and hazards will become less ambiguous. An increase in qualified airworthiness managers will mean critical elements are less likely to be overlooked. With uniformity set across multiple types of aircraft for risk analysis, training costs across the respective companies will fall. Employees won't have to relearn (or create in the Nimrod's case) a new method to risk analysis and mitigation. When looking at new aircraft, design flaws are less likely to be found as criteria and regulations have been greatly improved. For old aircraft still in service however, these changes could mean a greatly improved rate of these types of issues being spotted before they cause catastrophic consequences.
The main focus on the recommendations made involve stricter regulations and a unified method of completing tasks. With the Nimrod Safety Case these recommendations are much the same. Proper training in risk analysis will prevent employees carrying out such tasks from overlooking important and possibly fatal factors in the future. The recommendation of a new safety culture is also a key point. Employees are much more likely to make sure their work and their projects are 100% water tight, if the possibility may arise for holes to be openly pointed out.
One of the main recommendations from the review was to create a new personnel strategy. The aim behind this being, by having skilled personnel in-house, outsourcing of safety and technical projects will no longer be needed. This means the MOD will not only be able to keep a closer watch on its projects, but will benefit financially by removing profit margins from the companies work had been outsourced to. The extra funds created by not paying these large companies such as BAE Systems, could be reinvested in procurement to prevent further projects from becoming over-due and over-budget. The recommendations made by Bernard Gray, if put into place, would help keep the MOD on a steady track and prevent the organisation from snowballing into a state of disorder, as per the wake of the 1998 Strategic Defence Review.
Description of Scenario 2 - Piper Alpha
Piper Alpha was an oil platform in the North Sea, which began production in 1976. It was later transformed from oil to gas production. On 6th July 1988 a multitude of failures in communication, procedures and management lead to a disastrous explosion, resulting in the death of 167 men. There were only 59 survivors. In the weeks that built up to the accident, a new gas pipe line was being installed. This caused some disruption, but was nothing of major concern. On the morning of the 6th July one of the platforms two pumps was undergoing maintenance. A pressure safety valve (PSV) was removed and temporarily sealed with a flat metal disc. Because this maintenance could not be completed by 6pm (the end of the day shift), the on-duty engineer filled out a permit stating the pump must not, under any circumstances, be switched on. As the night shift took over, the permit disappeared and the new on-duty engineer was never informed of the situation. Later in the evening the second pump suddenly failed and couldn't be restarted. A running pump was vital to keep the power supply of the rig active and so, without any indication that this would be an error; the decision to start the first pump was made. Due to the missing PSV, at 10pm, gas flowing into the pump caused an overpressure, causing gas to leak at high pressure from the previously temporarily sealed hole. Almost immediately this triggered an engulfing explosion. The rig had an automatic fire protection system; however this had been transferred to manual control earlier in the day to prevent under-water divers from being sucked into the system. Without any aid to combat the fire, the control room was abandoned before any attempt to command an evacuation from the loudspeakers was made. As the fire ignited other gas supply pipelines the severity of the situation dramatically increased. Attempts to manually start the fire protection system failed and so personnel tried to make their way to the lifeboat stations. They found their route blocked by fire and so decided to shelter in fireproof accommodation blocks to await further instructions. These never came. Eventually the platform gave way and all those left aboard tragically died. 59 survivors were pulled from the sea by rescue boats after having desperately jumped from the rig.
Top Level Requirements
In 1980 Piper Alpha was converted from an oil production rig to gas production. When the platform was originally built, it followed a standard that meant placing the most dangerous operations away from personnel areas. The conversion however, broke this rule as gas compression had been located next to the control room, leaving two sensitive areas situated together. From the outset the platform had fire walls built to withstand intense fire. With the change to gas and the scenario of an explosion, these walls didn't have a chance at doing their job.
There were many errors within the permit system. When returning the permit stating the pump must not be started, the on-duty engineer failed to inform anyone who would be in a position of authority on the night shift. The system of reporting and handing over at the end of a shift was flawed and so important issues were being missed.
There were two other rigs in the vicinity of Piper Alpha who pumped their gas to it. When Piper Alpha exploded, these rigs continued to supply gas despite being able to physically see the fires. This further fuelled the fire, but because of the enormous cost of shutting down a rig, they chose not to because they didn't have the authority.
The platform was equipped with diesel powered fire protection pumps. In the event of a fire they withdrew water from the sea through large vents and operated with the intent to quell the spread of the fire. Piper Alpha was complying too an outdated procedure which involved turning these pumps to a manual setting whenever divers had entered the water. In fact in 1983, an audit of the system changed the procedure, meaning it should only be set to manual when divers were in the immediate surrounding area of the vents to prevent them from being drawn in. In the event of Piper Alpha, this was not the case.
A major flaw with the layout of the rig was the location of the lifeboats. There was only one route to them, which was blocked by smoke and fire. The personnel onboard the rig had not been sufficiently trained to act in an emergency and so sought shelter. They didn't know what course of action to take next.
Methods selected to address requirements
In the wake of the accident a report was carried out by Lord Cullen. It was extremely critical of the practices and procedures in force on Piper Alpha and provided a list of recommendations with a hope of preventing a similar event occurring in the future. 106 recommendations were made in total to be implemented across the industry and its regulators. Many of these have now been put into force and are industry wide standard.
In 1996 The Offshore Installations and Wells Regulations were introduced. They were aimed at ensuring the integrity of installations such as Piper Alpha's fire walls and maintain a safe working environment offshore. They require each offshore installation to submit a case to the Health and Safety Executive (HSE) three times a year detailing systems put in place to combat major incidents. This exercise can be seen as a sure way to prevent subsequent accidents; it can also be costly and repetitive for companies. This may again lead to a lax in effort given to the task. An alternative would be to only require a new safety case when a major contributing factor has been modified or installed.
The permit-to-work system was raised as a major issue in Lord Cullen's report. His comments ultimately lead to the Offshore Installation and Pipeline Works (Management and Administration) Regulations produced in 1995. They set out requirements for the safe management of offshore installations by the introduction of Offshore Installation Managers (OIMs), whom act as the highest member of authority on the rig. They should be aware of all the maintenance and faults at all times in order to make decisions with a holistic view. The regulations also required proper enforcement of the permit-to-work system to ensure responsibilities and hazards are successfully allocated. It also acts as a written log of who is in control at a specific time. This system is an effective tool of communication as long as it is enforced strictly and respected.
In 1995 The Offshore Installations (Prevention of Fire and Explosion, and Emergency Response) Regulations (PFEER) were devised. They provided requirements and recommendations to protect personnel and equipment from fire and explosions, along with an effective and adequate emergency response. A requirement of these regulations state that the OIM will take ultimate control in the event of an emergency scenario. They can contact adjacent rigs to prevent them from making incorrect decisions based on their lack of knowledge of the situation. This still leaves an element of human error in the process; however these OIMs should be managers as a sole occupation and so will have been trained to a such a high standard that they can make the right decisions.
The failure to have the automatic fire control system operating is not an error in legislation, but one of malpractice. The Offshore Installations and Wells Regulations introduced will cover against this happening again. With the platforms having to provide reports to the HSE, the appropriate procedures will almost certainly be followed. The audit that actually changed the regulations in 1983 have not covered all possibilities, but have greatly increased the probability that the automatic fire control system will be enabled, as divers will infrequently need to be in the immediate vicinity of the vents.
In order to combat the limited emergency training standard of the rig workers, Lord Cullen's report made several recommendations. The OIM was introduced to take ultimate responsibility and to provide orders in the event of an emergency. It was also stated that all other employees must be trained competently in emergency scenarios. If it arose that the OIM couldn't provide guidance, they must know how to react and how to operate vital lifesaving equipment such as lifeboats and breathing apparatus.
How the methods address the scenario
With these recommendations now seen as an industry standard minimum level of standards, the probability of another similar tragedy on the scale has been greatly reduced. Frequent submissions of safety cases should bring to light any potentially problematic or fatal elements in operation on the platforms. With the introduction of an OIM, there should be less confusion not only in the state of machinery and maintenance statuses, but also there should be a greater deal of clarity in an emergency scenario. If these recommendations had been made before the day of the accident, it is very likely that the on-duty engineer would have known the state of both pumps. An explosion would have been contained effectively and successfully subdued by the fire protection system. Any necessary evacuation would have been efficient and everyone onboard the rig would have survived.
The Public Inquiry into the Piper Alpha Disaster, Cullen, The Honourable Lord, HM Stationery Office, 1990
Description of Scenario 3 - Eyjafjallajokull
Approaching the end of 2009 seismic activity started to be detected around Eyjafjallajokull, a volcano located in the south of Iceland. They gradually increased until on the 20th March 2010 it erupted. Although the eruption was not of great magnitude, an ash cloud was created throwing volcanic ash several miles into the atmosphere.