I’ve said this before. All of the BLOODHOUND Team fully expect the car will run faultlessly from first crack out of the box to finally hitting 1,000 mph after maybe 50 runs. Just re-fuel it, shove in a fresh rocket, change the oil and coolant, give it a polish, and pat it on the head. No problems, no dramas, no system failures. No paralysing moments when you think “Oh s***, why didn’t I get a nice job in a tax office?”

Yeah – and they also all unanimously still believe in the Tooth Fairy.

No – it doesn’t work like that. Of course it doesn’t. The ideal design team is made up of “ist’s”. As in 10% optimists, 10% pessimists, and 100% realists. In such a team consideration of failures is not a taboo subject spoken of in whispers. Very, very far from it. Anticipating possible failures is THE major factor trumping all other cards on the table.

There is no hiding the risks of BLOODHOUND. Indeed, they are part of the culture, part of the challenge, and part of the education. At times I have flown aeroplanes as test pilot. They didn’t always behave quite like wot it said on the box, and sometimes grabbed my attention a great deal.  And when Andy Green closes the canopy and fires up BLOODHOUND for the first time he will be embarking on a far greater safari into the unknown than anything I have ever even remotely done.

This is in fact the arena of the immortals. The likes of Hanna Reitsch, the diminutive Fraulein who test-flew both the Me 163 rocket fighter and, incredibly, an experimental manned – or womaned – version of the V1 flying bomb in the 1940’s. However much you might loathe her politics – she was a devoted Nazi and a friend of Hitler – there is no arguing with her status as possibly the most courageous test pilot of all time. Or of Scott Crossfield and Chuck Yeager of the Bell X supersonic programme. Or Yuri Gagarin, the first man in orbit. Or Neil Armstrong, X15 test pilot and then first man on the moon. Or of course the Land Speed Record heroes – Campbell, Breedlove, Arfons, and of course Noble and Green themselves.

Make no mistake. This is a project up there with the lot.

But – they were then. This is now. And BLOODHOUND is (a) a huge step into unknown territory, (b) not funded by a vast national budget, and (c) taking place in probably the most risk-averse era in the history of the British nation.

Health & Safety has been one of the growth industries of the last 15 years or so. There can be hardly a person in the UK who has not been affected in some way, whether they know it or not. And as with any rapidly-spawning industry with many local authorities and independent companies recruiting, H&S has inevitably picked up a sprinkling of jobsworths, egotists, and just plain dimwits. There are always going to be some creeping in under the curtain. These are the good folk who prompt headlines like “Children told to wear goggles when they’re playing conkers”.

Oh, and of course it gets worse. Increase safety legislation, and what follows? Well, now you start pulling a gravy-train of lawyers sniffing for compensation cases when things have gone pear-shaped, however slightly. So you then get advice that says don’t clear snow off the pavement outside your corner shop because if you do you’re responsible if someone slips over, whereas if you don’t, you’re not…

Silly result. Not what H&S is actually about.

Little Johnny fails to crack head open

Britain’s governmental Health and Safety Executive (H&SE), who are very far from fools, recognise that silly’s have occurred over the years and will inevitably continue to crop up. Okay, some of the silly’s are a tad on the mythical side, but as Shakespeare said; “The good a department does is oft interred with their bones, whereas the odd officious twit can always make the headlines”. Or something like that. This goes in spades for the Health & Safety because in the nature of the beast all successes are non-events. A headline blaring: “Little Johnny fails to crack head open falling off swing due to rubberised surface beneath” is more than slightly unlikely to set the media alight. Aware that their public image is a bit like a one-way cat-flap, with stories of silly’s zapping through from one direction while stories of success coming from the other are practically non-existent, the H&SE added the word Sensible to their mission – Sensible Health and Safety… Sensible Risk Management. Possibly a bit of an own-goal in PR terms – on the lines that if you suddenly say you’re going to be sensible it kind of implies you weren’t sensible before – but the idea is that the attitude should sort of percolate down through the whole H&S industry and subtly shift the mindset to enabling rather than blocking.

Percolating, however, can take a long time.  And changing an image from bogeyman to guiding uncle can take even longer.

So what did BLOODHOUND, who in the nature of the project might have been expected to quietly take a poison-tipped umbrella to any H&S officer who got within a mile of the joint, do about it?

Well, recruited a top Health and Safety expert, that’s what they did.

I’ll get back to that. Bear with me.

The base-line of Risk Assessment is to (a) identify the risk of something, (b) assign it into one of four categories – Negligible, Moderate, Significant or Extreme – and (c) work on ways of reducing that risk. (Called ‘Risk Mitigation’ in the jargon). Faced with BLOODHOUND one might have expected a knee-jerk reaction to regard everything from the ashtray on up as Extreme.

And yes, there would be a certain amount of justification for this. Again, bear with me.

One reason is that there is no precedent for BLOODHOUND. Design an airliner, a ship, a power station, a kiddies’ playground – and there’s scads of historic data in files ten metres thick. Some of it will help tell you what to do and some will give you a whole bunch of clues about what not to do, and what are the key problem areas. In that sort of scenario risk-assessment can actually be quite fine-tuned.

Historic data for a 1,000 mph car?  Well….. er, actually, zero. Data from ThrustSSC a dozen years ago, yes – some of which is being picked over by the BLOODHOUND team like forensic scientists applying modern DNA techniques to the exhumed corpse of a long-unsolved murder victim – but Thrust was a completely different design and was never intended to get anywhere near 1,000 mph anyway. So precedents? Near enough zero.

Then there is the small matter of safety factor.

If I fly a modern carbon-fibre aerobatic aircraft licensed to operate to plus 10 G and minus 10 G then I know it has a safety factor of 2.3. In other words, the wings won’t actually come off unless I hit plus or minus 23 G. (It says here, anyway). This is of little practical interest to me since at 23 G I am going to be long-unconscious with my spine sticking out of the top of my head – but that is the structural safety factor:

2.3. 230 per cent. Most of the airliners you fly in have a safety factor of 1.5 – 150 per cent.

BLOODHOUND is not going to have a safety factor of 1.5. Or let me re-phrase that. All of BLOODHOUND will have as high a safety margin as design can achieve – often better than 1.5 – but in the sheer nature of the challenge…. not everything. Can’t be done. Yes, you could design wheels which would be safe to a factor of 1.5 – 1,500 mph. (Well, maybe, anyway). And yes, you could probably design a rocket with higher safety margins than the Falcon.

Only slight snag is that you could end up with a very safe car which has just sunk into the desert under its own weight.

No – Land Speed Record cars have always been at the outer edge of technology, and that always means that some margins…. are not all that very much. So you do have to get everything right. Dead right. First time. Within very tight limits. Engineering challenge in spades…

Health & Safety going a tiny tad pale.

First in the line-up are the catastrophic risks – to be blunt, the ones that must inevitably lead to an accident. The equivalent to a wing parting company from an aeroplane.

The first of these is a wheel-burst. You can monitor the wheels with all the latest electronic gadgetry in the universe – but the fact remains that if you’re tooling along on solid wheels at 1,000 mph, with said wheels spinning at 10,000 rpm and creating 50,000 G at the rims, any crack which starts is going to be Bad News. Yes, it will take time to propagate – possibly 1,000th of a second, maybe longer – but however many red lights fire up on the panel there really ain’t a dang thing you can do about it except abort the run. And then sit there with your fingers crossed while you go through the deceleration phase…

Call that Catastrophe One.

So how to you mitigate Catastrophe One? Well, you have monitoring gadgetry and you hoist the car up and check the wheels in between runs – but that’s about all you can do. So Risk Mitigation on Catastrophe One really comes down to getting the design right in the first place and then abusing a specimen wheel mercilessly by spinning it up to over-speed on a test-rig and chucking simulated small stones at it – say from a .357 Magnum. This after having carefully placed a 10 foot thick blast-wall between your little pink body and the experiment, and further taken the precaution of stuffing your fingers in your ears. Both the BLOODHOUND team and wheel sponsor Lockheed Martin are paying an awful lot of attention to the wheel design…

Also on the Extreme list is winglet actuation failure. In an ideal world strewn with rose petals, BLOODHOUND’s front and rear winglets would be static and not need to be actuated at all. In the nasty old real world they are 95% certain to have to make pitch inputs during both acceleration and deceleration to provide aerodynamic forces to keep the front/rear axle loads within limits. Just how much force, and therefore exactly how big they are and how much they will have to move, can’t be finalised until the last of the back-end aerodynamics have been optimised. But one thing is for sure – they can’t be manually controlled. Even a particularly well-greased cat – and Andy Green is a great guy but not a well-greased cat – could never react quickly enough. So the winglets must be actuated by BLOODHOUND’s triplex computer system. You start the run – the winglets do this. You trigger the rocket – the winglets do that. You chop the power – the winglets do thus. You abort the run for any reason – or it aborts itself automatically because of a failure-detection – and the winglets do thus, thus and thus as you decelerate. They are electronically coupled to most other systems in the car except perhaps the mythical ashtray, so they’ll be instantly told what to do…

Well, fine and dandy. But suppose you have a winglet actuation failure which in itself should electronically trigger an abort and shut down the jet and rocket instantly. Does that, asks the credo of Health & Safety, mean that the system which just failed the winglet actuators is now the same system responsible for shutting down the power? And is that a good idea?

Ah…

This could be what H&S call a Connected Failure – in short, if one system fails, then can that failure also cheerfully take out the emergency back-up at the same time? Like, for example, if you have a single-ring main electronics circuit, never mind the potential for a computer malfunction for a moment, but could a plain old-fashioned fire take out everything at once, including the safety over-rides? In BLOODHOUND, could such a disruption even cause the winglets to smack to the ultimate nightmare of FSD – Full Scale Deflection – the wrong way at the wrong moment?

Aaah…

And then there is the rocket and the very high pressure HTP system. The whole caboodle will be covered with temperature and pressure sensors the way a porcupine has quills, any one of which can say the electronic equivalent of “Holy S***!” if whatever it’s monitoring goes out of limits, and trigger an instant automatic shut-down. Nonetheless you still have to think pessimist and ask what would happen if despite all this there was a major rocket fire. Could that become not so much a Connected but a Contagious Failure – one that could, say, take out the airbrakes and braking ‘chutes with it…?

Aaah, again…

Then how far should you cater for Simultaneous Failures – two completely unconnected failures which just happen to occur at the same time? The answer may be that you don’t cater for it very much at all since any failure will trigger an abort anyway – but you do have to think about it.

Oh – and you also need to think what should fail Dead and what should – if possible – fail Live. In aviation for example there are certain systems (such as piston engine magnetos) which you would much prefer to fail Live if human ingenuity can manage it, since not being able to switch the thing off when you want to is considerably less of an evil than having it switch its bloody self off at an inconvenient moment.

Dead or Alive?

On BLOODHOUND most things are obviously fail Dead. In the rocket and jet circuits for example all the vital valves are spring-loaded to the shutdown condition and opened by the car’s control systems, not the other way round. So lose a control system and zap – everything instantly goes to shutdown and aborts the run. At first glance pretty well everything on the car should fail Dead…

But, well, er….. what about the airbrakes? And maybe brake-chute deployment? Might just be an idea if they could fail Live and/or have back-up activation systems…

None of this of course is in any way news to the BLOODHOUND Design Team. Any of them. And especially not to Dr John Davis, long-standing Guru of Formula One car control systems and now Senior Control Systems Engineer for BLOODHOUND. At design meetings John gives out the faint impression of being a pessimist-realist – which is a Good Thing, because the last person you need on Control Systems is a bouncing optimist. John has already created a bench-top prototype of the BLOODHOUND control system, and it works. I have to confess that I personally have only the very haziest notion of how it works – to do with a triplex system of computer processors which monitor each other, I gather – but the BLOODHOUND design team do understand it, and so I sit there smiling vaguely and nodding wisely and fooling nobody. If A Green should suffer some misfortune such as being kidnapped the day before the first runs start – which I am working on – then I would most graciously consent to drive the car, merely requiring a couple of cushions so I could both see out and reach the pedals. But understand the control system? I can’t even work my daughter’s iPod, whatever that is.

(For real info on the control systems click here and see what you can make of it.)

Nonetheless…

However clued-up and brilliant your Design Team, another gander at the problems from a fresh, outside set of eyes may be no bad thing. A mediocre design team folds its arms and looks resentful. A brilliant design team sits down around the table to see what it might learn.

So enter one Christopher Paul Boocock, Health, Safety and Environment Director of Rainham Industrial Services. RIS is a huge nationwide company providing all sorts of services to all sorts of industries, especially the power generation sector. RIS were the first Stripe Sponsor of BLOODHOUND, and part of their contribution is a great deal of Chris Boocock’s time. So Chris Boocock has taken on the task of creating what in H&S jargon is called a ‘Confidence Map’.

Jargon it may be, but Confidence Map is not too difficult to grasp in principle. What it does is look for a risk and then look at the mitigation thereof. Then look at the possibility of connected failures and the mitigation of those. Then look at the chances of contagious failures and try to mitigate those. Look and look and look until you’re confident you have an answer for everything. Piece of cake, really…

No. Not a piece of cake.

Especially, perhaps, if you are Chris Boocock. A most prominent figure in an eye-watering number of august professional bodies concerned with engineering, energy production and risk management. An acclaimed expert on power station safety. A major supporter of BLOODHOUND because of its power to get across to young engineers the message that you can sensibly manage the risks of even the most obviously dangerous of projects.

But not, in fact, a particular car enthusiast. A BLOODHOUND enthusiast, certainly, but rather like Ben Evans, not by inclination a natural petrolhead.

So this power station expert is going to apply established Health & Safety principles to BLOODHOUND. And the BLOODHOUND team welcome the fresh eyes. In an ideal world the BLOODHOUND designers will have thought of everything and Chris Boocock and the Confidence Map will produce nothing new…

But….. it could – yes, could – produce an “Oh S***, we didn’t think of it like that!” moment.

Far better to have such a moment now in a conference room in Bristol than passing through 900 mph on the Hakskeen Pan…