In 2006, the Afghan war against insurgents was in full swing. A multi nation force was active in the country.
The British forces used their Nimrods for surveillance and intelligence gathering.
The Nimrod (now all decommissioned) had been developed and built for Naval surveillance initially, and was based on the DeHavilland Comet design. The Comet was the first jet powered commercial aircraft which design development started post WW2. The design of the Comet was obviously certified against the Airworthiness Standards of that era.
In 2006 a RAF Nimrod was on a routine mission over southern Afghanistan when the aircraft was observed by ground forces and a Harrier pilot operating close by, to be on fire. The aircraft exploded at an estimated 3000 ft and subsequently impacted the ground.
Prior to the accident the aircraft had been taking on airborne fuel from a RAF Tristar tanker.
The aircraft impacted in Taliban held terrain. Canadian and British ground forces moved in to secure the site and attempt to recover possible survivors, bodies, and documents as well as sensitive equipment. There were no survivors.
These ground forces came under attack of locals and could hold their positions for 21 hours after their arrival on scene and had to be airlifted out.
Fortunately an British Army officer took detailed photographs of the accident site and wreckage which enabled the investigation board, chaired by Charles Haddon Cave QC to conduct a comprehensive investigation that produced an excellent report which drills down into many aspects of the contributing factors to this tragic accident and the organisational aspects leading up to it.
The report addresses among other subjects:
Technical details pertinent to this particular accident
Safety analysis of design changes
Continuing Airworthiness aspects of design changes
Organisational Aspects of Airworthiness and Safety Management
Safety Recommendations
The report is exceptionally detailed and consists of 587 pages. A bookmarked version of the report is linked in this article.
Its subtitle is "A Failure in Leadership, Culture and Priorities"
The report consist of five parts:
Introduction
Physical Causes
Nimrod Safety Case
Organisational Causes
Aftermath
Lessons and reconmendation
The report also contains scathing criticism on several key persons in charge of the process of Airworthiness Management. I will leave that op to the reader of the report to discover and will not quote these criticisms in the article.
In essence the eruption of fire right after air to air refuelling, was a result of a design flaw in the highly modified (from the Comet) fuel system in the Nimrod.
This design flaw had been dormant for about 30 years until it had a catastrophic result of this accident.
The report identifies and analyses the "Nimrod Safety Case" that had been developed.and implemented in 2005.
The "Safety Case" in essence is the same as a system safety analysis as described in the civilian large aircraft certification code CS25.1309. (Supplemental) Type Certificate Holders have to produce this analysis in order to obtain product certification.
Core contributing factors were:
Nimrod Safety Case was flawed. Quote from the report: "Unfortunately, the Nimrod Safety Case was a lamentable job from start to finish. It was riddled with errors. It missed the key dangers. Its production is a story of incompetence, complacency, andcynicism. The best opportunity to prevent the accident to XV230 was, tragically, lost."
Cultural negligence towards the review of the Nimrod Safety Case by the responsible organisation. Quote from the report: "XXX bears substantial responsibility for the failure of the Nimrod Safety Case. Phases 1 and 2 were poorly planned, poorly managed and poorly executed, work was rushed and corners were cut. The end product was seriously defective."
Below I will give a brief of the different parts of the report:
Part 1; Introduction
Part 1 contains the executive summary, the history of the Nimrod and Technical description of the type. Interestingly The Nimrod involved in the accident (XV230) was the first to enter service in October 1969.
This part describes the two possible scenarios of the accident that led to unconfined escape of fuel near and ignition source that made the aircraft catch fire which resulted in an inflight break-up and crash with no survivors.
It briefly describes the design flaw resulting in this accident but has been dormant for 30 years.
It also abbreviates on what organisational factors allowed this design flaw to pass without being flagged when it should
It contains the peer review parties of the report
Part 2; Physical Causes
This part describes the most probably sequence of events that led to the in flight fire.
In a nutshell, the interaction between a "Cross feed (bleed air) duct" and a defective fuel line coupling leaking fuel into the dry bay of tank #7. (see fuel tank layout below).
The fuel tank architecture is complex and different from the original Comet design
The Cross feed duct is a bleed air duct that crosses over from the left hand engines to the right hand engines and contains bleed air of about 400 degrees C
Below figure shows the proximity of fuel lines to the hot Cross feed duct inside the #7 fuel tank
The Cross feed duct was part of the original Nimrod MR1 design.
Additional features that were added with the MR2 to the original design were the permanent Air to Air refuelling system and the SCP (Supplemental Cooling pack) duct. The proximity of the (hot) duct to fuel pipes and couplings and the possibility of fuel pooling in the dry bay consisted of a serious fire hazard that was not recognised by the engineering companies responsible for the design and its safety case according to the report.
Part 3 Nimrod safety case
The safety case is the equivalent of civilian certification substantiation. Analyses, test reports, simulations and other evidence in order to substantiate compliance with the applicable certification code.
Part of all design safety cases and substantiation id hazard identification, classification and mitigation. Below figure indicates an abbreviated diagram of classification and mitigation requirements
Chapter 9 of this part describes in detail the organisational structure and roles if the safety system that was supposed to comply and action items classified according above methodology.
Three parties were involved in building the Nimrod safety case:
BAE Systems as Design Authority
The Nimrod IPT [Itegrated Project Team]
Qinetic as "independent advisor"
Every safety case begins with a Hazard Register identifying and classifying every potential hazard in the system [Comparably what CS25.1309 compliance requires]
In the particular case of the Nimrod safety case. classification of 43 out of 105 hazard were classified as "open", among which the serious fire hazard.
This flaw in the safety case led the Board Of Investigation assign criticism to the responsible entities.
Part 4; Organisational Causes
This part of the report describes organisational [management] factors that were an important contributing set of factors to the failure of the Nimrod Safety Case.
Interestingly, in 1998, a Nimrod Airworthiness Review Team Report warned of “the conflict between ever reducing resources and ... increasing demands; whether they be operational, financial, legislative, or merely those symptomatic of keeping an old ac flying”
In that period [1998-2005], the British MOD [Ministry Of Defence] was in a process of profound reorganisation, consisting of budget cuts and change which caused a distraction from the Airworthiness tasks and roles. It prevented the Nimrod IPT [Integrated Project Team] to do its job properly.
Another factor was the delayed certification and introduction of the MRA4 version of the Nimrod which in turn delayed the phase out of the MR3. This should have changed focus of long term continuing Airworthiness Management but instead had an adverse effect on In-Service support of the MR2 version of the Nimrod.
Note; this phenomena of delayed introduction of a new type and reduced life cycle support of a current type to the level of adverse safety and reliability is very commonly seen in aviation and marine fleet management and is a very real risk by itself.
Chapter 12 through 14 describes the many elements in the procurement, Engineering that were redefined and its easy to understand why the task of Airworthiness Management was diluted and mismanaged.
As one of the very few investigation reports, this report drills down to the many aspects of management culture and task dilution and loss of focus on essential tasks. A must read for every manager in an operational role in my humble opinion.
The reader can relate to many events and high profile accidents in his/her professional environment. The Boeing 737 Max comes to mind among others.
Part 5; Afftermath
This part describes the interaction and immediate action taken on safety recommendations by the RAF. Below a summary;
Key post-XV230 Nimrod safety management measures have been:
(1) the implementation of the majority of the XV230 BOI recommendations, in particular, the
prohibition on the use of the Supplementary Conditioning Pack and Cross-Feed duct in flight;24
(2) the total suspension of all Air-to-Air Refuelling;
(3) the targeted Fuel Seal Replacement Programme;
(4) the Hot Air Duct Replacement Programme;
(5) the Avimo seal material replacement programme; and
(6) the forensic teardown programme.
At time of heightened awareness (post XV230 accident) of the potential file hazard by a combination of leaking fuel in proximity of hot air ducts, several hazardous situations had been found on the Nimrod fleet which could have potentially have ended catastrophically.
Part 6; Lessons and Recommendations
Intestingly, this section of the report indeed refers to similar cases of mismanagement leading to catastrophe and loss of life. Below is a literal quote from Chapter 17;
"1. The lessons to be learned in the case of Nimrod XV230 are not new.
2. There are 12 uncanny, and worrying, parallels between the organisational causes of the loss of Nimrod XV230 and the organisational causes of the loss of the NASA Space Shuttle ‘Columbia’:
(1) The ‘can do’ attitude and ‘perfect place’ culture.
(2) Torrent of changes and organisational turmoil.
(3) Imposition of ‘business’ principles.
(4) Cuts in resources and manpower.
(5) Dangers of outsourcing to contractors.
(6) Dilution of risk management processes.
(7) Dysfunctional databases.
(8) ‘PowerPoint engineering’.
(9) Uncertainties as to Out-of-Service date.
(10) ‘Normalisation of deviance’.
(11) ‘Success-engendered optimism’.
(12) ‘The few, the tired’.
3. The Columbia Accident Investigation Board Report3 emphasised the importance of identifying the fundamental ‘organisational causes’ of accidents rather than just focusing merely on errors and omissions by individuals. It should be required reading for anyone involved in aviation safety.
4. The present case also has parallels with other catastrophic accidents such as the Zebrugge Disaster (1987), King’s Cross Fire (1987), The Marchioness (1989), and BP Texas City (2005).
5. Columbia and other cases have shown that, usually, there are fundamental organisational causes which lie at the heart of many major accidents, and these have to be addressed in order to learn the real lessons for the future."
This part of the report describes the accident theory which contains the two classic 'bow tie" and "swiss cheese" models of risk identification and mitigation and organisational constrictions in this specific case that made the safety case fail to such extent that loss of life occurred. Chapter 19 identifies these elements in detail.
This section also addresses the various elements of safety culture and the role of leadership therein. Below a definition of safety Culture (by the Nuclear Safety Advisory Group):
“Safety culture is that assembly of characteristics and attitudes in organizations and individuals which establishes that, as an overriding priority, safety issues receive the attention warranted by their significance.”
Personal note, in conclusion
The Haddon Cave report (as it is commonly referred to) does not conform the current ICAO Annex 13 defined format as the accident happened to a military aircraft which is not subject to civil regulations and recommended practices.
However in my opinion it is a benchmark document relating to accuracy and depth of content. I have seen very few, if any, accident reports that go into that much, both technical- as well as organisational detail of all aspects contributing to the accident.
Since publication of the report, cases of (large) loss of life have occurred which could be attributed to the same elements mentioned in the report. It lays bare the profound effect of management of both organisations and processes on the safety of the end result.
Therefore I think this document is timeless and should be on everyone's bookshelf that is involved with safety related activities.
Below a bookmarked version for your download
Comentários