Line Concept Level 3 page 2.PNG

How Safe is Too Safe? Putting the Reasonably Back in Reasonably Practicable

This week The Central Blue welcomes back Flight Lieutenant Joshua Vicino as he asks some 'reasonably challenging' questions about contemporary safety thinking. Balancing mission-readiness with consistent safety was never going to be an easy proposition, but is it time for a rethink of the current dominant approach? Vicino lays out his argument with two case studies, concluding with thoughts about the next stage of safety culture development.

How safe is too safe? Some would argue that even asking this could be considered blasphemy from Defence’s Aviation Safety perspective. After all, our airworthiness system, first introduced in the early 1990’s, is regularly described as being written in blood. But our mission is to generate air power, which inherently places our platforms and people in harm’s way. Achieving the right balance, ‘Mission first, Safety Always’, is easier said than done, and so we should be willing to revisit our regulatory system to see whether it is giving us the outcomes we need.

This is also easier said than done. While incident and accident investigations often refer to similarities between different occurrences, it is rare to find two situations so similar as to draw direct comparison. Furthermore, to have this occur in a way that allows us to consider different regulatory systems would seem almost impossible. But I am about to outline two almost identical aircraft defects, one of which was managed under the previous aviation safety system, and one managed under the current ‘So Far As Reasonably Practicable’ (SFARP) regime. Having considered their rectification processes and the impact that these processes had on delivery of air power, we can and should ask whether our pursuit of a generative safety culture has caused us to lose sight of our reason for being – generation of air power. And if so, what can we do about it?

Back in 2016…

A RAAF aircraft and support contingent were deployed on a regional surveillance operation. On return from the second last sortie before it was to return to Australia, a post-flight inspection found a 3.75 inch-long rupture in the wing surface. The rupture was found in an area of secondary structure that did not impact the flight controls. With the diplomatic clearances locked in for the return to Australia, and one operational mission remaining, the deployed maintenance team needed to achieve a solution within 24 hours or drop the last mission.

The simplest fix was simply to leave it be. But at 3.75 inches long the structural repair manual defined the crack as outside the safe limits for flight, even for a secondary structure. Moreover, a repair option was unavailable because there were no deployed aircraft structural technicians or associated tooling and equipment. Similarly, the timeline didn’t permit the option of awaiting a novel engineering solution from the engineering support office back home. This left the sole remaining option to be for the deployed engineering officer to authorise a non-standard risk assessment that deferred the repair and allowed the aircraft to continue to fly. This assessment needed to outline the impact and likelihood of the risk as well as provide alternative treatment measures.

That treatment was goop[1]. As per the safety framework of the day, the surface rupture was filled with goop – a known mechanism for stopping crack propagation – and informal engineering advice was sought from the engineering support office via email to inform the risk assessment. As an additional control, the technicians were instructed to inspect the rupture after the flight in order to verify that it had not propagated further. Under these conditions, the risk level was evaluated as sufficiently low enough from a technical airworthiness perspective to continue flying. Operational endorsement of the risk assessment was provided by the detachment commander as authorising officer, and the aircraft completed its final operational mission and transited home uneventfully the following day. All up, the whole process took just over six hours to complete.

Fast forward to 2021…

The same aircraft type, the same region and remarkably, the same problem. This time, a 3.5 inch-long rupture was discovered on an after flight inspection in the same part of the wing. Uncannily, this aircraft also had a single operational sortie left prior to its return to Australia, and had no structural technicians deployed or the tooling and support to affect a repair.

This time, however, the deployed maintenance team was working under the Defence Aviation Safety Regulation framework. Under this framework, the ability to conduct a risk assessment and treat the risk with a non-standard process, operationally endorse this and continue flying, was no more. In fact, the new authorised maintenance manual explicitly forbids the use of a risk assessment by the deployed engineering officer as was used in 2016. Filling the rupture with goop and ‘cracking-on’ (pardon the pun) was no longer possible.

This time, the solution came from the engineering support office. They had to develop a formal engineering instruction that allowed the aircraft to be transited back to Australia in order to conduct a full structural repair. Their solution was to cover the rupture with aluminium tape, effectively an equivalent treatment to the goop method used in 2016. That resolution process, culminating in the issuance of a formal engineering instruction, took 41 hours to achieve, and led to the cancellation of the final operational sortie.

What lesson should we learn?

The remarkable similarities between these two scenarios provides us a unique opportunity for comparison. The same problem, addressed under two different regulatory systems, ended with nearly identical technical solutions. However, one did so in a way that enabled the generation of air power, and one that did not. In 2016, the deployed engineering officer and the detachment commander/authorising officer, were able to appropriately consider the operational imperative and weigh that against the aviation safety risks in consultation with appropriately qualified people. In 2021, a conservative application of the new regulatory system in place, they no longer felt empowered to do so. The result of this rigid and prohibitive interpretation of the new regulations was that they were forced down a formal process entirely controlled by a separate engineering organisation.

There’s good reason to separate church and state. Keeping the operational element and engineering support office apart by design prevents operational personnel playing fast and loose with their risk assessments and getting back in the air when they shouldn’t. However, the current approach by those who interpret the regulations and sponsor the expositions that detail how their organisation will meet their regulatory requirements, eliminates the ability for both parties to apply agile governance methods to the specific circumstances, as was done in 2016. In removing this, the enterprise as a whole loses the ability to apply reasonable risk treatment methods that maintain a focus on the reason for flying in the first place – the operational context. As such, the result of this inability to rapidly generate defensible technical risk assessments in support of operations was the loss of an operational mission – a direct reduction in air power.

But DASR wasn’t meant to be used this way. The SFARP principle was meant to allow reason to prevail. Unfortunately, we are in this position because the new, outcomes based regulatory framework was overlaid with the same process-driven practises that governed the old system. Instead of a system where we should be more capable of generating air power, we are now less effective.

It doesn’t have to be this way. DASR can be implemented as the outcomes-based regulatory framework it was meant to be. Engineering support offices across the RAAF have the opportunity to improve their processes, to enable us to once again generate defensible technical risk assessments at short notice, with limited time, and to optimise the generation of air power. If the potential for major conflict is as imminent as some would suggest, this optimisation is a must. Now is the time for Commanders and Managers alike to understand what it means to be reasonably practicable and to drive the cultural change in their organisations necessary for genuine progress. This doesn’t mean we should return to pathological cultures of the early 90’s, but given our reason for being, we simply can’t afford to be so safe that we unnecessarily limit our operational effectiveness.

[1] Imagine an aviation version of Selley’s kitchen sealant

Flight Lieutenant Joshua Vicino is an Electronics Engineer working in the Royal Australian Air Force. He holds a Bachelor of Science and Master of Electrical Engineering from The University of Melbourne. He is currently the Officer in Charge of Maintenance at No. 10 Squadron.