As military systems become increasingly complex, so does the requirement to argue acceptable levels of safety. Many long-established design standards favour mitigating safety risk by design, and view mitigation by procedure of lesser value. However, recent experience has shown that this 'design everything in' philosophy can remove flexibility - some military users regularly mitigate risk through a combination of procedure and design, and are generally happy to accept more risk to gain the flexibility that this brings. A natural tension therefore exists between the 'classical' approach of designing in safety, and an alternative approach that adjusts the design/procedural split to gain operational flexibility.