The recent surge in the ALARP debate amongst engineers has prompted the R2A partners to reconsider how it was that ALARP was developed at all and how it has caused so much controversy, at least in Australia. Our recent blogs Risk Paradigm Shift Takes a Generation and Is There a Difference between ALARP & SFAIRP? The Debate Continues covered much of this, but since the debate continues we felt it was worth a further comment.

The ALARP debate seems to have arisen from Sir Frank Layfield’s (a lawyer) Sizewell B Inquiry of 1987. Whilst he gave approval for the nuclear power station station to proceed, there were a number of matters that were unresolved including, for example, an understanding of the level of danger posed by anticipated radiation levels. Sir Frank recommended that this matter be investigated further. 

Practically, the task was passed on to the then newly established (1975) UK Health and Safety Executive (HSE). Whilst Sir Frank was assisted by a large number of engineers, the UKHSE’s document, The Tolerability of Risk from Nuclear Power Stations (1988) appears to have been prepared mostly by scientists. It is a careful document. The so called dagger diagram which is used to describe the ALARP approach does not have any risk numbers shown on it. These are summarised in the appendix of the document.

Never-the-less, the use of numbers was popularly seized upon. That is, the risk numbers in the Appendix was applied to the diagram as shown above (from a summary by the International Atomic Energy Agency on the Tolerability of Risk the ALARP Philosophy. 

This was all very unfortunate as it is a proposition the courts (at least Australian courts) were never able to accept. As Sir Harry Gibbs (Chief Justice of the Australian High Court) put it in 1982:

Where it is possible to guard against a foreseeable risk, which, though perhaps not great, nevertheless cannot be called remote or fanciful, by adopting a means, which involves little difficulty or expense, the failure to adopt such means will in general be negligent

(Turner v. South Australia (1982) 42 ALR 669). 

That is, it does not matter how rare an event is, if the consequences are critical and more could have reasonably be done to prevent or manage the outcomes, then the courts, post-event, will consider this failure to be negligent.

Since this common law understanding is that which was put into the OHS/WHS legislation, the ALARP approach using target levels of risk became, by statute, quite unsupportable. 

From the R2A perspective, this became clear when the OHS Act in Victoria (2004) commenced as the enabling legislation for major hazard facility (MHF) regulators. This result required that R2A change from being risk engineers to due diligence engineers. It also precluded R2A from providing MHF advice as long as relevant MHF regulators continued to use target-level-of-risk arguments rather than criticality driven safety-in-design arguments. 

Happily, this changed in Victoria where the MHF regulator in 2022 moved to the Gibbs position. That is, the credible worst case outcomes (the science - which remains arguable for complex hazard scenarios) is described and then the possible control options considered (a design exercise), as shown in the diagram below.

From a pre-event perspective, the more scientists know, the better engineers can do, although there is a functional overlap between the two. Post-event, the courts are actually completing a retrospective design review to test if any design options were overlooked or poorly implemented from what is an awful, but now known, outcome.

This is entirely consistent with the thinking of David Howarth, the Professor of Law and Public Policy from Cambridge University (whom R2A sponsored to Melbourne in 2017) in his book Law as Engineering. The law is chiefly a design process, and the lawyers are looking to the engineers for inspiration (Watch this short presentation by David Howarth). 

Based on this, there seems to be a general intellectual alignment emerging amongst lawyers, engineers and scientists on how this all should be done.

If you’d like to discuss further how our work helps ensure governance outcomes that meet Australian WHS/OHS legislation that all reasonably practicable precautions are in place for high consequence, low likelihood events, head to our contact page.

R2A recently acted as expert witnesses before VCAT (The Victorian Civil and Administrative Tribunal) regarding the rejection of a planning permit for a two dwelling redevelopment on a single site. 

The planning permit had been rejected by the relevant council on the basis of advice from WorkSafe Victoria that population ‘densification’ within a 1 kilometre ‘outer safety area’ distance of the boundary of a major hazard facility (MHF) was undesirable (see https://www.worksafe.vic.gov.au/land-use-planning-near-major-hazard-facility).

As the particular matter is presently sub judice, we won’t be commenting on specific details of this case in question at this time. But we observe that because the new MHF land use guidelines only came out mid 2022, it has created an avalanche of cases before VCAT with different VCAT members using different approaches to accept or reject development proposals which has flow on implications including appeals to the Supreme Court.

However, most interestingly, from a professional practice viewpoint, we can now confirm that the Victorian Major Hazard Regulator has adopted a consequence based approach to land use planning overturning the long established risk based (QRA - quantified risk assessment) approach. 

This is something R2A has pushed for years. Indeed, we stopped being risk engineers and became due diligence engineers in the late 2000’s and generally stopped doing MHF safety case work because of this concern. That is, that QRA was indefensible in general and particularly for land use safety planning. Such planning should be consequence based, testing for effective risk controls for predicted credible event severity as shown in the diagram below. 

The reason is simple, as the 2004 Maxwell Review which resulted in the 2004 OHS Act (the enabling legislation for MHFs) in Victoria suggests, that everyone is entitled to an equal level of protection. A hazard cannot be discounted merely because it is considered rare. It does not matter how low the risk is, if more can reasonably be done, then it should be and the failure to do so will be negligent (paraphrasing Chief Justice Sir Harry Gibbs in Turner v. The State of South Australia (1982)). 

For example, the fact that the likelihood of a single fatality is less than say 1 x 10-7 per year does not mean it can’t happen and nothing further needs to be done. As Section 4 of the Vic OHS Act notes: The importance of health and safety requires that employees, other persons at work and members of the public be given the highest level of protection against risks to their health and safety that is reasonably practicable in the circumstances. 

Or in the words of Barry Sherriff (one of the lawyers who helped draft the WHS legislation): Simply makes it clear that you start with what can be done and only do less when where it reasonable to do so.

This means that in R2A’s view, safety-in-design solutions to eliminate or prevent hazard consequences associated with MHFs should be considered and tested for reasonableness as part of the planning/building permitting process.

Look out for Season 2 of Risk! Engineers Talk Governance podcast where Richard & Gaye discuss this further.

We recently discovered a Linkedin post and comment trail where an old R2A ‘ALARP versus SFAIRP’ image was used. Some extra words had been inserted on it by others emphasising the two terms - adding confusion. There were a lot of varying comments in the thread debating if there’s a difference between ALARP & SFAIRP, but rather than go through them individually, we have chosen to summarise R2A’s take on where this is at:

1. Risk assessment (especially QRA - quantified risk assessment) using technical risk targets is now and always has been flawed as it can prevent consideration of possible further controls due to the perceived lowness of the risk.
   
   Often when looking at a corporate risk register, the last items on the list are the critical ones in consequence terms but placed at the bottom in risk terms because of their perceived rareness.
   
   Discounting consequences (and thereby possible controls) by the unlikeliness of the event has always been in error. The MHF regulator in Victoria corrected this last year (read Risk Paradigm Shifts Take a Generation) releasing a pent-up Kraken of land use planning pain.

   
   

2. ALARP and SFAIRP are not terms created by R2A. They come from the UK.
   
   ALARP was created by the Health and Safety Executive. We think it was an unfortunate and unnecessary development. It encouraged the use of risk targets, thereby inhibiting consideration of possible further practicable controls. Just do a search for ALARP in Google and dagger diagrams with risk targets abound. It may not be what was intended but that is what it encouraged. It flowed into dam safety, maritime and aviation safety and many other areas. 
   
   SFAIRP appears to have been created to contrast the difficulties with ALARP. For example: Felix Redmill from Newcastle University (UK) observed in 2010:
   
   What confidence can there be that a risk deemed ALARP would also be judged to have been reduced SFAIRP? Can the two concepts be said to be identical? They cannot. As already pointed out, they were defined by different parties (the law-makers and the safety regulator) for different purposes (stating a legal requirement and offering guidance on a strategic approach to meeting it). But does one imply the other? No.
   
   There can be no guarantee that the same ALARP decision would be arrived at by two different practitioners, and certainly none that an ALARP decision arrived at now in an industrial context would, later be judged by non-engineers in a legal context to have met the SFAIRP test.
   

3. The UK HSE’s document, ALARP “at a glance” equates the two concepts. But later in the same document notes:
   
   You may come across it as SFAIRP (“so far as is reasonably practicable”) or ALARP (“as low as reasonably practicable”). SFAIRP is the term most often used in the Health and Safety at Work Act and in Regulations. ALARP is the term used by risk specialists, and duty-holders are more likely to know it. We use ALARP in this guidance. In HSE’s view, the two terms are interchangeable except if you are drafting formal legal documents when you must use the correct legal phrase.
   

4. In R2A’s view, it has always been about ensuring that all reasonably practicable precautions are in place.
   
   You should strenuously avoid any ‘risk assessment’ process that may prematurely exclude viable potential controls from further consideration. And the prudent approach is to always use the correct legal term in the way legislation and the courts apply it, irrespective of what a regulator says to the contrary. Why create confusion by having two terms?

Also read: SFAIRP Not Equivalent to ALARP

This paper was presented by at CORE (Conference on Railway Excellence) June 2023 in Melbourne Australia by Gaye Francis BE MAICD FIEAust, Managing Partner of R2A.

SUMMARY

SFAIRP (so far as is reasonably practicable) is the ‘modern’ definition of ‘safe’. Shrouded in the legal concept of the ‘safety case’, it is actually the legislated implementation of the judicial form of the principle of reciprocity – the golden rule – do unto others, incorporated into the common law by the Brisbane born English law lord, Lord Atkin in 1932. [1]

In rail safety terms, it asks the question; “If you are affected in any way by a rail network (passenger, driver at a level crossing, rail worker etc), how would you expect the network and rolling stock to be designed and managed in order for it to be considered safe?”

The answer is that it now requires a public demonstration that all reasonably practicable precautions are in place in a way that satisfies the will of our parliaments and our sovereign’s courts, otherwise known as a SFAIRP safety case.

1 INTRODUCTION

The rise of Work Health and Safety [2] (WHS) legislation and associated Rail Safety National Law [3] (RSNL) mandates that there needs to be a positive demonstration of safety due diligence. If there is a conflict between the two Acts, the WHS legislation takes precedence (section 48 of RSNL). Presently, the most robust and effective way to achieve this known to the authors is by the use of the safety case concept to demonstrate SFAIRP (that hazards, risks and harm have been eliminated or reduced so far as is reasonably practicable), that is, the rise of the SFAIRP safety case.

Safety Cases have been around for a long time. In Victoria they are de rigueur in rail, gas, petroleum, power and major hazards industries. For example, the Victorian Major Hazard regulations [4] (OH&S, 2000) have required that the operator must identify all hazards that could cause major incidents (Section 302) and that such a safety case must be signed off by the most senior company officer resident in Victoria (Section 402).

The inclusion of criminal manslaughter provisions in safety legislation (which therefore includes dealing with hazards that were either known or ought to have been known) has reinforced this. It is now absolutely essential for anyone (especially officers as defined by corporations’ law) responsible for the design, construction and management of any facility that can cause fatalities, like railways, to positively demonstrate safety due diligence in a way that is scientifically defensible, organisationally useful, publicly digestible and which will survive post-event legal scrutiny.

Note also that on 1 July 2021, Victoria commenced the SFARP provisions of the Environmental Protection Act 2017 [5]. Amongst other things, this Act imposes a general environmental duty (GED) on a person to minimise, as far as reasonably practicable (SFARP), risks or harm to human health and the environment (Section 25). Particularly, it further requires the person to eliminate such risks, and if not reasonably practicable to do so, to reduce them so far as reasonably practicable (Section 6). If not already, it appears to be only a matter of time before the SFA(I)RP concept will be entrenched in other legislation and regulatory instruments.

In this context, it is important to remember that legally, safety risk does not arise because something is inherently dangerous, which railways potentially are, rather it arises because there are insufficient, inadequate or failed precautions as determined by our courts, post event.

2 The Safety Case Concept

The safety case concept is a well-established method for organisationally demonstrating safety due diligence. As the English law lord, Lord Cullen put it in 2001 [6]:

A safety case regime provides a comprehensive framework within which the duty holder’s arrangements and procedures for the management of safety can be demonstrated and exercised in a consistent manner. In broad terms the safety case is a document – meant to be kept up to date – in which the operator sets out its approach to safety and the safety management system which it undertakes to apply. It is, on the one hand, a tool for internal use in the management of safety and, on the other hand, a point of reference in the scrutiny by an external body of the adequacy of that management system – a scrutiny which is considered to be necessary for maintaining confidence on the part of the public.

Safety cases have parallels with business cases. The latter are usually drawn up to convince a financier that an organisation is viable. The object is to assure that all significant factors affecting the organisation have been identified and that appropriate measures are in place to maximise the positive factors and minimise the negative ones. This is usually the responsibility of the highest levels of management of the organisation.

3 Demonstrating SFAIRP

This section outlines R2A’s Y Model [7] developed in 2011 to specifically address the requirements of the model WHS Act, which in turn satisfies the obligations of the RSNL. That is, to eliminate risks to health and safety so far as is reasonably practicable (SFAIRP), and if it is not reasonably practicable to eliminate risks to health and safety, to reduce those risks so far as is reasonably practicable. The process has been applied to very many organisations since, always to the satisfaction of relevant legal counsel.

The safety due diligence approach implements the ‘Y’ model shown above based on a diagram after Sappideen and Stillman, 1995 [8]. This has four steps summarised below.

3.1 Credible critical issues completeness

This is a completeness check to ensure all credible critical safety issues have been identified. That is, the issues faced by a rail operator that have the potential to cause serious harm. This can be done in a number of ways such as vulnerability or consequence assessments (who is exposed to what hazards), past incidents and generative interviews with recognised experts and so on.

3.2 Identifying all possible practicable precautions

The second step is to develop a process that ensures all physically possible measures to eliminate or minimise the risk have been consistently considered. Part of this will include testing for controls and safety measures identified by rail owners and operators. Legislation and regulation require that risk control must be based upon the Hierarchy of Controls as shown below and in the order of most to least preferred, elimination, prevention and mitigation. These decisions need to be adequately documented with appropriate sign off.

3.3 Reasonableness & barrier implementation

This step looks at all of the precautionary options that are possible and available; and in view of what is already in place decides on additional precautionary effort. The decision is a balancing exercise and involves taking into account and weighing up all relevant matters including, on the one hand:

the likelihood of the hazard or risk concerned occurring;

the degree of harm that might result from the hazard or risk;

what the person knows, or should reasonably know, about the hazard or risk and ways of eliminating or minimising that risk;

the availability and suitability of ways to eliminate risk; and also costs associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk.

Or, put another way, the decision is based on the balance of the significance of the risk (likelihood and consequence) versus the effort required to reduce it. Effort includes cost (how much), the degree of difficulty and inconvenience (how hard it is to implement) and utility of conduct (what other things go missing if that course of action is adopted). In this context, recognised good practice is the starting point, not the goal. This is where disproportionality comes into play.

Disproportionality results from the law of diminishing returns (the pain is not worth the gain) for precautionary effort.

For example, if the first precaution reduces the risk by 99%, the next precaution can only affect the remaining 1% and so on. So, in terms of the balance of the significance of the risk vs the effort required to reduce it, the scales thump to the ‘let’s not do anymore for now’ side very quickly for effective precautions.

3.4 Quality assurance

Quality process to confirm that agreed precautions are sustained.

4 Possible Safety Case Arguments

Efforts to demonstrate how risk should best be managed have given rise to a number of risk management decision paradigms all of which have or are being used to support safety case arguments in different industries. A paradigm is a universally recognised knowledge system that for a time provides model problems and solutions to a community of practitioners (Kuhn, 1970) [9]. New paradigms based on more comprehensive or convincing theories may supersede older ones or exist co-jointly with them.

This section describes a number of the most common risk paradigms [10] and details some of the advantages and disadvantages of each. They are listed in the order in which they became historically apparent. The paradigms are:

i. The rule of law.

ii. Traditional risk management historically typified by Lloyds Insurance and the US Factory Mutuals’ highly protected risk (HPR) approaches.

iii. Asset based risk management, typified by engineering-based failure modes, effects and criticality analysis (FMECA), hazard and operability (Hazop) and quantitative risk assessment (QRA) approaches.

iv. Threat-based risk management typified by strengths, weaknesses, opportunities and threats (SWOT) and vulnerability type 'top-down' mission-based military appreciation type analyses.

v. Solution-based ‘good practice’ risk management rather than hazard-based risk management.

vi. Biological, systemic mutual feedback loop processes, often manifested in hyper-reality computer-based simulations.

vii. Risk culture concepts including quality type approaches.

4.1 The rule of law

The power of the legal approach is that it is time-tested and proven. The Brisbane born English law lord, Lord Atkin unleashed an avalanche of negligence claims in the common law world (Donoghue v Stevenson 1932) [1] with the view that:

You must take reasonable care to avoid acts or omissions which you can reasonably foresee would be likely to injure your neighbour.

If the judiciary is independent of political and commercial interests of the day, then an independent and potentially fair resolution can occur. Perhaps this is why it works; both the political and judicial systems must simultaneously fail before social breakdown occurs and there is potential for catastrophic social dislocation. The weakness of the legal approach, certainly in an adversarial legal system like ours, is that the courts remain courts of law rather than courts of justice. As The Institution of Engineers, Australia (1990) notes [11]:

Adversarial courts are not about the dispensing of justice, they are about winning actions. In this context, the advocates are not concerned with presenting the court with all the information that might be relevant to the case. Quite the reverse, each seeks to exclude information considered to be unhelpful to their side's position. The idea is that the truth lies somewhere between the competing positions of the advocates.

Further, courts do not deal in facts; they deal in opinions.

What is a fact? Is it what actually happened between Sensible and Smart? Most emphatically not. At best, it is only what the trial court, the trial judge or jury - thinks happened. What the trial court thinks happened may, however, be hopelessly incorrect. But that does not matter - legally speaking.

4.2 Insurance and historical records

The Lloyds Insurance and the Factory Mutual Highly Protected Risk (HPR) [12] approaches historically typify insurance-history based risk management. Looking at past incidents and losses and comparing these to existing plants and facilities allows judgements to be made about (future) risk. The difference historically is that one approach, Lloyds', has a financial focus, whereas the Factory Mutuals’ focus is targeted at a level of engineered and management excellence.

The power of the insurance process is the very tangible nature of history, and in a sense the results represent the ultimate Darwinian ‘what if’ analysis. Its weakness is that in the modern rapidly changing world, empirical history has become an increasingly less certain method of predicting the future.

4.3 Asset and hazard

Asset based risk management is typified by engineering based FMECA (failure modes effects and criticality analysis), Hazop (hazard & operability) and QRA (quantitative risk assessment) event-based approaches. The power of event-based techniques lies in the detailed scrutiny of complex systems and the provision of closely-coupled solutions to identified problems. It revolves around hazards and assets component failure events and resulting flow-on steps throughout the asset (rail) seeing if it culminates into partial or full failure of the asset (rail) & its system function. Any proposed risk control solutions can be both focussed and specific. They can be easily considered for cost/benefit results. Each step (effectively a potential barrier) can be assessed for SFAIRP. The resulting risk registers are powerful decision-making tools.

However, these methods have to separately address common cause or common mode failures which became apparent from major loss events that the authors have investigated. Event-based techniques typically do not examine how a catastrophic failure elsewhere might affect a particular component or the others around it. In the case of FMECA and QRA, after assessing failure modes, care has to be taken in determining what failure modes are mutually exclusive and what needs common cause / mode consideration / adjustment and how this translates to risk control solutions.

4.4 Threat (error) and vulnerability - military intelligence

Threat-based risk management is typified by SWOT (strengths, weaknesses, opportunities and threats) and vulnerability type top-down analyses. These methods mostly identify areas of general strategic concern rather than solutions to particular problems. Its strength is that is provides a completeness argument for why no credible critical issues have been overlooked. In rail safety cases, it is a particularly common approach to assess the impacts of rail events like derailment, collision etc on the critical exposed groups.

4.5 Recognised good practice

An alternative to this is a precautionary (solution) based good practice risk management. The good practice risk management approach simply looks at all the good ideas other people in an industry use to see if there is any reason why such ideas ought not to be applied at one’s own site. The good practice approach is particularly powerful in a common law due diligence sense. If there were a simple solution to a serious problem implemented at a competitor's facility, then common law negligence could arise if failure to adopt this good practice resulted in something going badly wrong at the subject site.

A good practice process is one of the few approaches that address this difficulty. In a sense, this is confirming the view that liability arises when there are unimplemented good ideas rather than the existence of hazards or vulnerabilities in themselves. For example, could a marine pilot’s PPU (personal pilotage unit) be adapted and used for situational awareness by a train driver for long distance travel between states?

4.6 Evolutionary simulation

Biological/computer simulation paradigms are derived from the application of evolutionary concepts developed in virtual reality. This amounts to modelling a complex system in a virtual reality environment and playing endless what if scenarios. Such computer simulations can be most easily used for worst-case combinations of variables. The simulations can also be fine-tuned by calibrating against empirical data or through carefully controlled physical experiments.

4.7 Culture

James Reason [13], a psychologist, develops a cultural paradigm model in several ways (Reason, 1997). He notes three types of risk culture:

Pathological - don’t want to know and messengers arriving with bad news are ‘shot’

Bureaucratic- messengers are listened to if they arrive alive

Generative - actively seek bad news and train and reward messengers

The importance of these concepts is well known in rail safety.

These paradigms are listed in Table 1 below, together with the three generic techniques by which humans seem to make decisions. These are:

Expert reviews. The difficulty with this approach is that, if you don’t think the expert is right, there needs to be at least two alternative experts to change the decision.

Facilitated workshops. This parallels the adversarial legal system, where the sovereign’s champions (usually two barristers) present the alternative cases and the judge or jury decides.

Selective interviews, which parallels the inquisitorial system where someone armed with vast powers subpoenas persons until they have enough evidence to come to a judgement. In the Australian and New Zealand systems, this is represented by Coronial Enquiries and Royal Commissions.

Each of these paradigms and decision techniques has different pros and cons depending on the culture of the organisation and the nature of a particular task. The best methodologies that might be used in the implementation of a safety case in each of the risk paradigms as determined by the Risk Engineering Society of Engineers Australia (2014) [10] are highlighted in Table 1.

5 Exemplar SFAIRP safety case

This section considers which of the possible safety case arguments would support the SFAIRP process as applied to rail safety cases. It is difficult to prescribe which arguments are optimal without a particular railway in mind. There is no single ‘right way’ to complete a SFAIRP safety case. The arguments that are to be used to support the safety case need to be established in advance and are likely to depend on the circumstances of each rail and are unlikely to be the same for any two railways. For example, the safety argument for a suburban electric network is likely to be entirely different to an outback mining corridor or an isolated, single train heritage track.

5.1 Credible critical issues completeness argument

For the particular rail under consideration, what are the best approaches to determine which are the credible critical failure mechanisms for that particular railway?

5.2 Identifying all possible practicable precautions

There are a number of generic analysis tools that can be employed to identify possible practicable precautions and then facilitate the reasonableness assessment of same. They include cause-consequence diagrams, threat-barrier (bow-tie), layers of protection (LPOA) and Venn (Swiss Cheese) diagrams. These are discussed in Robinson & Francis (2022) [14]. However, in the experience of the authors as expert witnesses, the one that has proven to be most successful with the courts and the public has been single line threat-barrier diagrams.

The following sample threat barrier diagram has been developed for a representative credible critical issue associated with railways. It identifies the legal loss-of-control point and the existing and possible control barriers. The legal loss-of-control point is the point at which the laws of nature and man align. Controls that act before the loss-of-control point are legally precautions that stop the loss-of-control from occurring (that is, reduce the likelihood of its occurrence) whilst controls that act after the loss-of-control point are mitigations and reduce the scale of the consequences. Effectively, such a diagram describes the legislatively mandated hierarchy-of-control moving from left to right.

The key is not only to identify the existing barriers (shown as solid vertical lines) but to also identify all further possible practical controls (shown as dotted vertical lines) including emerging technology and what is considered recognised good practice especially in new rail projects. For example, new rail tunnel ventilation and smoke extraction systems are typically designed to handle a fully developed worst case train fire with concomitant evacuation paths which, essentially smoke blown one way with evacuating people moving in the other direction. This is a good practice precaution that should then be tested for reasonableness for any upgrade works on existing rail tunnels.

Another example, could a Driver’s Resource Management (DRM) system modelled on the marine pilots PPU (personal pilotage unit) and BRM (Bridge Resource Management) be provided on interstate trains? The technology is well established, sold globally and would have only to be adapted.

Preliminary discussions with manufacturers [15] at the AMPI conference [16] in Hobart in March this year suggest that the hardware cost per driver would be around $5,000. This would provide a completely independent battery power (15 hours), weather resistant driver management system (DMS) including a driver’s iPad with magnetically attached GNSS (GPS, Glonass, Galileo, Qzss, Beidou etc) positioning units (with SBAS correction to 1m accuracy) at either end of a train (to confirm train continuity), each with G3, G4, and G5 real time communications and satellite data connections (including jamming and spoofing resistance). Such units would automatically provide for voice recording of the driver and train control.

The main cost would be interfacing the track data and real-time environmental databases and train movement information provisionally estimated at $50m for the whole of Australia. Coupled with TMACS [18] train control (originally functionally certified by R2A for NSW in the late 90s) and watchdog monitoring this would probably increase driver, track gang and train controller situational awareness by up to 2 orders of magnitude.

That is to say, it is not enough to only consider your own industry for new precautions to address known risks.

5.3 Reasonableness and barrier Implementation

In determining reasonableness, further controls must be considered in hierarchy of control order based on the balance of the significance of the risk verses the effort required to reduce it. Some organisations look at short, medium and long term SFAIRP options. For example, upgraded train protection system on a section of track may be the ultimate long term (5-10 year) SFAIRP option but a shorter term (12 months) SFAIRP option may be to reduce the number of possible train collision interactions, enhance signal sighting for drivers and optimise the performance of the existing mechanical train stops.

From a due diligence perspective, not only is it important to document further controls to be implemented but also record why certain controls are not considered reasonable. Also, it is important that:

Recognised good practice such as represented in a standard is just the starting point. Further good ideas are to be tested for value. For example, the option to piggy back on ADS-B [19] from the aviation industry thereby treating trains as low flying aircraft is an intriguing idea.

Decisions should be made to a common law standard consistent with decisions of the High Court of Australia, such as Justice Mason’s decision in Wyong Shire Council v Shirt (High Court of Australia, 1980) [20].

Precautions with less than a 50% chance of working (as a likelihood assessment) ought not to be considered / adopted as (legally) they are more likely to fail than succeed.

Consultation with those who are at risk is legislatively mandated. For major community issues, this consultation is expected to be wider than just teams of experts described in the workshop sign-off below.

5.4 Quality assurance

5.4.1 Workshop sign-off

One point often overlooked in most SFAIRP (risk) workshops is the sign-off. Workshops should be organised to ensure that the best available knowledge and expertise is in the room. This means however, that at the end of the workshop session, the group should be formally tested to see if there are any other issues of concern which had not been raised or adequately addressed during the workshop session, and, more importantly, if there were any other good ideas or precautions that should be put on the table for consideration. Any issues raised should be tested and resolved formally.

5.4.2 Review by legal counsel

Most legal advice regarding the demonstration of due diligence as required by the model WHS legislation is focussed on a compliance audit to the relevant section and clauses. But this should be the outcome of the due diligence process, not the cause. That is, in order to be safe in reality, it is firstly necessary to manage the laws of nature. Confirming that this has been achieved to the satisfaction of the laws of man is a secondary exercise and one to which lawyers can be usefully and efficiently tasked, especially regarding consensus as to the legal loss-of-control point/s. If it isn’t clear to the lawyers on reading the safety case that the legal loss-of-control point is sound, then the application of the hierarchy of controls is likely to be confused and leave everyone and everything open to post-event legal argument and potential liability.

5.4.3 Articulated enduring QA process

The procedures by which agreed precautions are to be sustained into the future needs to be articulated and adequately documented.

6 Conclusion

The SFAIRP safety case is increasingly being entrenched in legal systems and regulatory instruments.

Our parliaments and courts are not requiring that ‘you get it right’ all the time, which is a logical impossibility of the human condition. What the WHS/OHS/RSNL/EPA legislation demands is a continuous, positive demonstration of safety due diligence. What the community and courts get ‘cranky’ about, post event, is when a precaution exists which was either known or ought to have been known, which was reasonable in all the circumstances and which, if it had been in place would have stopped the horror from occurring.

This means that an essential aspect of a SFAIRP safety case is that there is a continual testing for new or enhanced risk control ideas, to see if they have value and ought to be implemented. But this has to be achieved in a way which satisfies legal scrutiny, pre and post event.

This also means that it is difficult to see how any safety case for any rail operator can be considered robust unless it has been reviewed by relevant legal counsel. In a very real sense, pre-event verification of a safety case can make lawyers really, really useful to accredited rail operators.

References

1. United Kingdom House of Lords (1932). Donoghue v Stevenson. UKHL 100 1932.

2. Work Australia (2011). Model Work Health and Safety Bill. 23 June 2011.

3. The Rail Safety National Law was passed through the South Australian Parliament on 1 May 2012 replacing 46 pieces of State, Territory and Commonwealth legislation.

4. Occupational Health and Safety (Major Hazard Facilities) Regulations 2000 S.R. No. 50/2000 (Victoria).

5. Environment Protection Act 2017(Victoria). Authorised Version incorporating amendments as at 1 July 2021.

6. Cullen Rt Hon Lord (2001). Transport, regulation and safety: a lawyer’s perspective. The Transport Research Institute, United Kingdom.

7. Francis, Gaye and Richard M Robinson, and (2021). Criminal Manslaughter and How not to do it. (Reprinted 2023). R2A Pty Ltd. Melbourne.

8. Sappideen, Carolyn and R H Stillman (1995). Liability for electrical accidents: risk, negligence and tort. Engineers Australia Pty Limited, Crow’s Nest, Sydney. Page 22.

9. Kuhn T S (1970). The Structure of Scientific Revolutions. 2nd ed. Chicago. University of Chicago Press.

10. Engineers Australia, Risk Engineering Society (2014). Safety Case Guideline. Third edition.

11. The Institution of Engineers, Australia (1990). Are you at risk?

12. FM Global. See: https://www.fmglobal.com.au/about-us/our-business/our-history viewed 3rd March 2023.

13. Reason, James (1997). Managing the Risks of Organisational Accidents. Ashgate Publishing Limited. Aldershot, UK.

14. Robinson, Richard M and Gaye Francis (2022). Engineering Due Diligence (12th edition, reprinted 2023). R2A Pty Ltd. Melbourne.

15. Navicom Dynamics Ltd (New Zealand) and AD Navigation AS (Norway).

16. Australasian Marine Pilots Institute. 2023 Hobart. Building Resilient Pilotage Conference.

17. Navicom Dynamics Ltd. See: https://navicomdynamics.com/en/products/channelpilot viewed 3rd March 2023.

18. 4Tel Pty Ltd. See: https://4tel.com.au/index.php/en/news/12-products/network-control-systems/22-4eta-train-authorities.html%20viewed%203rd%20March%202023. Viewed 3rd March 2023.

19. Air Services Australia. See: https://www.airservicesaustralia.com/about-us/projects/ads-b/how-ads-b-works/ viewed 3rd March 2023.

20. High Court of Australia (1980). Wyong Shire Council vs Shirt. HCA 146 CLR 40.

Weaning boards off the term risk assessment is difficult.

Even using the term implies that there must be some minimum level of ‘acceptable safety’.

And in one sense, that’s probably the case once the legal idea of ‘prohibitively dangerous’ is invoked.

But that’s a pathological position to take if the only reason why you’re not going to do something is because if it did happen criminal manslaughter proceedings are a likely prospect.

SFAIRP (so far is as reasonably practicable) is fundamentally a design review. It’s about the process.

The meaning is in the method, the results are only consequences.

In principle, nothing is dangerous if sufficient precautions are in place.

Flying in jet aircraft, when it goes badly, has terrible consequences. But with sufficient precautions, it is fine, even though the potential to go badly is always present. But no one would fly if the go, no-go decision was on the edge of the legal concept of ‘prohibitively dangerous’.

We try to do better than that. In fact, we try to achieve the highest level of safety that is reasonably practicable. This is the SFAIRP position. And designers do it because it has always been the sensible and right thing to do.

The fact that it has also been endorsed by our parliaments to make those who are not immediately involved in the design process, but who receive (financial) rewards from the outcomes, accountable for preventing or failing to let the design process be diligent is not the point.

How do you make sure the highest reasonable level of protection is in place? The answer is you conduct a design review using optimal processes which will provide for optimal outcomes.

For example, functional safety assessment using the principle of reciprocity (Boeing should have told pilots about the MCAS in the 737 MAX) supported by the common law hierarchy of control (elimination, prevention and mitigation). And you transparently demonstrate this to all those who want to know via a safety case in the same way a business case is put to investors.

But the one thing SFAIRP isn’t, is a safety risk assessment. Therein lies the perdition.

With Engineer’s Australia recent call-out on socials for "I Am An Engineer" stories, I was discussing career accomplishments with a team member (non-Engineer) and we were struck by how risk and safety need not be complicated – that the business of risk and safety, especially in assessment terms has been over-complicated.

Two such career accomplishments that really brought this home was my due diligence engineering work on:

• Gateway Bridge in Brisbane
  Our recommendation was rather than implement a complicated IT information system on the bridge for traffic hazards associated with wind, to install a windsock or flag and let the wind literally show its strength and direction in real time. A simple but effective control that ensures no misinformation.
  
• Victorian Regional Rail Level Crossings
  R2A assessed every rail level crossing in the four regional fast rail corridors in Victoria for the requirements to operate faster running trains. The simple conclusion, that I know saved countless lives, was to recommend closing level crossings where possible or provide active crossings (bells and flashing lights) rather than passive level crossings.
  

However, some risk and safety issues are not as simple, like women’s PPE.

The simple solution, to date, has been for women to wear downsized men’s PPE and workwear. But we know this is not the safest solution because women’s body shapes are completely different to men.

My work with Apto PPE has been about designing workwear from a due diligence engineering perspective. This amounted to the need to design from a clean slate (pattern, should I say!) -- designing for women’s body shapes from the outset and not tweaking men's designs.

Not everyone does this in the workwear sector, but as an engineer, I understand the importance of solving problems effectively and So Far As Is Reasonably Practicable (SFAIRP).

By applying the SFAIRP principle, you are really asking the question, if I was in the same position, how would I expect to be treated and what controls would I expect to be in place, which is usually not a complicated question.

And, maybe, my biggest career accomplishment will be the legacy work with R2A and Apto PPE in making a difference to how people think about and conduct safety and due diligence in society.

Find out more about Apto PPE, head to aptoppe.com.au

To speak with Gaye about due diligence and/or Apto PPE, head to the contact page.

The hierarchy of control is one of those central ideas that safety regulators have been using forever. But it is also one of those very simple ideas that has caused enormous confusion in due diligence.

In hierarchical control terms, the WHS legislation (or OHS in Victoria) provides for two levels of risk control: elimination so far as is reasonably practicable (SFAIRP), and if this cannot be achieved, minimisation SFAIRP.

In addition, criminal manslaughter provisions have been enacted in many jurisdictions.

The post-event test for this will be the common law test albeit to the statutory beyond reasonable doubt criteria.

For example, from WorkSafe Victoria:

The test is based on the existing common law test for criminal negligence in Victoria, and is an appropriately high standard considering the significant penalties for the new offence.

https://www.worksafe.vic.gov.au/victorias-new-workplace-manslaughter-offences

Post-event in court, from R2A’s experience acting as expert witnesses, there are three levels in the hierarchy of control:

• Elimination,
• Prevention, and
• Mitigation.

In causation terms most simply shown as single line threat-barrier diagrams such as the one for Covid 19 below.

Our collective safety regulators have other views. For example, the 2015 Code of Practice (How to Manage Work Health and Safety Risks) which has been adopted by ComCare and NSW has 3 levels of control measures whereas many other jurisdictions adopt the 6-level system like Western Australia. Victoria has a 4-level system.

This inconsistency between jurisdictions seriously undermines the whole idea of harmonised safety legislation. And it also muddles optimal SFAIRP control outcomes. For example, engineering can be an elimination option, as in removing a navigation hazard, a preventative control as in machine guarding, or a mitigation as in an airbag in a car.

In R2A’s view, which we have tested with very many lawyers, the judicial formulation shown below is the only hierarchy of control capable of surviving legal scrutiny and R2A’s preferred approach.

Contact the team at R2A Due Diligence for further advice on hierarchy of controls for due diligence.

The Work Health & Safety (WHS) legislation has changed the way organisations are required to manage safety issues. With the commencement of the legislation in WA on 31 March 2022, as well as the introduction of criminal manslaughter provisions in some states, there appears to be an increased energy around safety due diligence.

The legislation requires SFAIRP (so far as is reasonably practicable).

A duty imposed on a person to ensure health and safety requires the person:

(a)     to eliminate risks to health and safety, so far as is reasonably practicable; and 

(b)     if it is not reasonably practicable to eliminate risks to health and safety, to minimise those risks so far as is reasonably practicable.

This means that the historical concepts of ALARP (as low as reasonably practicable), risk tolerability and risk acceptance do not apply.

From the handbook for the Risk Management Standard (ISO 31000):

Importantly, contemporary WHS legislation does not prescribe an ‘acceptable’ or ‘tolerable’ level of risk—the emphasis is on the effectiveness of controls, not estimated risk levels. It may be useful to estimate a risk level for purposes such as communicating which risks are the most significant or prioritising risks within a risk treatment plan. In any case, care should be taken to avoid targeting risk levels that may prevent further risk minimisation efforts that are reasonably practicable to implement.
(SA/SNZ HB 205:2017 page 14)

In cultural terms, James Reasons outlines three types of risk culture: pathological, bureaucratic and generative.

In this framework, Codes of Practice and Standards are the bureaucratic starting point.  The objective is to do better than that, when reasonably practicable to do so. The aim is the highest reasonable level of protection.

The Act ensures a ‘transparent bias’ in favour of safety. As the model act says (and all jurisdictions including NZ have adopted):

… regard must be had to the principle that workers and other persons should be given the highest level of protection against harm to their health, safety and welfare from hazards and risks arising from work as is reasonably practicable.

This is a change in mindset for many organisations, but one which easily aligns with human nature.

On a personal level, we (at R2A) are always trying to do the best we can especially for others. This is one of the reasons I continue to work on Apto PPE, a line of fit-for-purpose female hi vis workwear including a maternity range.

I know that females only represent a small proportion of the engineering and construction section (around 10%), but the question shouldn’t be “is the current options of PPE for women bad enough that we need to do something about it?” 

The question should be: Can we do better than scaled down men’s PPE? And Apto PPE is happy to provide an option for organisations that want to do better.

The idea that SFAIRP (so far as is reasonably practicable) is not equivalent to ALARP (as low as reasonably practicable) was originally discussed in Richard Robinson’s article in the January 2014 edition of Engineers Australia Magazine. At the time, it generated much commentary to the effect that major organisations like Standards Australia, NOPSEMA and the UK Health & Safety Executive say that it is.

Fast forward to 2022 and this is still the case.

The following review considers each briefly. This is an extract from the 2022 update of the R2A Text Engineering Due Diligence – How To Demonstrate SFAIRP (Section 19.3).

The UK HSE’s document, ALARP “at a glance”¹ notes:

“You may come across it as SFAIRP (“so far as is reasonably practicable”) or ALARP (“as low as reasonably practicable”). SFAIRP is the term most often used in the Health and Safety at Work etc Act and in Regulations. ALARP is the term used by risk specialists, and duty-holders are more likely to know it. We use ALARP in this guidance. In HSE’s view, the two terms are interchangeable except if you are drafting formal legal documents when you must use the correct legal phrase.”

R2A’s view is that the prudent approach is to always use the correct legal term in the way the courts apply it, irrespective of what a regulator says to the contrary.

NOPSEMA are quite clearly focussed on the precautionary approach to risk. Their briefing paper on ALARP² indicates in the Core Concepts that:

“Many of the requirements are qualified by the phrase “reduce the risks to a level that is as low as reasonably practicable”. This means that the operator has to show, through reasoned and supported arguments, that there are no other practical measures that could reasonably be taken to reduce risks further.” (Bolding by R2A).

That is, NOPSEMA wish to ensure that all reasonable practicable precautions are in place which is the SFAIRP concept. Indeed, later in Section 8, Good practice and reasonable practicability, there is a discussion concerning the legal, court driven approach to risk. Whilst ALARP is mostly used elsewhere in the document, here NOPSEMA notes:

“When reviewing health or safety control measures for an existing facility, plant, installation or for a particular situation (such as when considering retrofitting, safety reviews or upgrades), operators should compare existing measures against current good practice. The good practice measures should be adopted so far as is reasonably practicable. It might not be reasonably practicable to apply retrospectively to existing plant, for example, all the good practice expected for new plant. However, there may still be ways to reduce the risk e.g. by partial solutions, alternative measures, etc.” (Bolding by R2A).

Standards Australia seems to be severely conflicted in this area in many standards, some of which are called up by statute. For example, the Power System Earthing Guide presents huge difficulties.

Another example is AS 5577 – 2013 Electricity network safety management systems. Section 1.2 Fundamental Principles point (e): which requires life cycle SFAIRP for risk elimination and ALARP for risk management:

Hazards associated with the design, construction, commissioning, operation, maintenance and decommissioning of electrical networks are identified, recorded, assessed and managed by eliminating safety risks so far as is reasonably practicable, and if it is not reasonably practicable to do so, by reducing those risks to as low as reasonably practicable. (Bolding by R2A).

It seems that Standards Australia simply do not see that there is a difference. The terms appear to be used interchangeably.

Safe Work Australia is only SFAIRP³. There does not appear to be any confusion whatsoever. For example, the Interpretative Guideline – Model Work Health and Safety Act The Meaning of ‘Reasonably Practicable’ indicates:

“What is ‘reasonably practicable’ is determined objectively. This means that a duty-holder must meet the standard of behaviour expected of a reasonable person in the duty-holder’s position and who is required to comply with the same duty.

“There are two elements to what is ‘reasonably practicable’. A duty-holder must first consider what can be done - that is, what is possible in the circumstances for ensuring health and safety. They must then consider whether it is reasonable, in the circumstances to do all that is possible.

“This means that what can be done should be done unless it is reasonable in the circumstances for the duty-holder to do something less.

“This approach is consistent with the objects of the WHS Act which include the aim of ensuring that workers and others are provided with the highest level of protection that is reasonably practicable.”

ALARP is simply not mentioned, anywhere.

Although the ALARP verses SFAIRP debate continues in many places and the current position of many is that SFAIRP equals ALARP; nothing could be further from the truth.

For engineers, the meaning is in the method; results are only consequences.

SFAIRP represents a fundamental paradigm shift in engineering philosophy and the way engineers are required to conduct their affairs. 

It represents a drastically different way of dealing with future uncertainty.

It represents the move from the limited hazard, risk and ALARP analysis approach to the more general designers’  criticality, precaution and SFAIRP approach.

That is;

From: Is the problem bad enough that we need to do something about it?

To: Here’s a good idea to deal with a critical issue, why wouldn’t we do it? 

SFAIRP is paramount in Australian WHS legislation and has flowed into Rail and Marine Safety National law, amongst others.

In Victoria, SFAIRP has now also been incorporated into Environmental legislation.

Apart from the fact that SFAIRP is absolutely endemic in Australian legislation with manslaughter provisions to support it proceeding apace, SFAIRP is just a better way to live.

It presents a positive, outcome driven design approach, always testing for anything else that can be done rather than trusting an unrepeatable (and therefore unscientific) estimation of rarity for why you wouldn’t.

If you'd like to learn more about SFAIRP for Engineering Due Diligence, you may be interested in purchasing our textbook. If you'd like to discuss how R2A can help your organisation, fill out our contact form and we'll be in touch. 

Editor's note: This article was originally published on 22 January 2014 and has been updated for accuracy and comprehensiveness.

¹ https://www.hse.gov.uk/managing/theory/alarpglance.htm viewed 21 February 2022
² https://www.nopsema.gov.au/sites/default/files/documents/2021-03/A138249.pdf viewed 21 February 2022
³https://www.safeworkaustralia.gov.au/system/files/documents/2002/guide_reasonably_practicable.pdf viewed 21 February 2022

One of the little recognised consequences of the use of SFAIRP is its implications for land use planning, particularly for industries that can have significant offsite consequences like major hazards facilities (MHFs), dams and licensed pipelines.

The whole point of the WHS legislation is to avoid unreasonably injuring your neighbour. As the Brisbane born English law lord, Lord Atkin put it in 1932:

Who then in law is my neighbour? The answer seems to be  persons who are so closely affected by my act that I ought reasonably have them contemplation as so being affected when I am directing my mind to the acts or omissions which are called into question.

We are not aware of any regulator in any Australian or New Zealand jurisdiction that disagrees with his view.

Applying the SFAIRP process means spelling out the credible worst case scenario for the facility of interest. Then it must be made plain to everyone that this is the case so that relevant neighbours, especially Council planners and developers, can design accordingly.

Decreasing SFAIRP precautionsconsistent

From a design perspective, every site has issues; this can include windstorm hazards, geotechnical and earthquake potentials, storm surge, flooding and inundation, lightning strike potentials, etc. For the design to be successful, all these must be addressed.

Adopting the SFAIRP approach to land use planning in these circumstances means that the closer to the hazard a structure is, the greater the precautions need to be. In principle, provided the level of protection is high enough, there are no limits to where a structure could be built in relation to the major hazard facility presented above.

The fact that there is a MHF chemical exposure, gas transmission pipeline, or dam upstream is just another hazard to be managed.

If in order to be safe, people wind up in an unaffordable, unattractive, underground air conditioned bunker, then it may be that the project will not proceed, but this would be for commercial reasons, not SFAIRP safety ones.

R2A have completed a number of these land use planning reviews over the last five years or so. To check for off-site credible fire scenarios, R2A use a common and reasonably user-friendly CFD program, Fire Dynamics Simulator (FDS). 

As a result of our SFAIRP reviews, all stakeholders including the pipeline business, the developers and architects and the regulator have agreed to the level of protections / precaution required to demonstrate SFAIRP.

You may also be interested in listening to Richard & Gaye discussing Land Use Planning & Major Hazards in this Risk! Engineers Talk Governance podcast episode.

When you know there are problems but have insufficient resources to fix them all at once…

During a recent discussion with a client, the topic of risk timelines came up and I realised that although we use it as a background concept in much of our work we haven’t articulated it in our textbooks or previous blogs.

The idea of a risk timeline approach recognises that you can’t do everything all at once because there are always constraints – time, people and resources.

Unless the situation is prohibitively dangerous for a critically exposed group (in which case the activity needs to be stopped and addressed immediately) then a risk timeline approach can be used.

Contemporary WHS/OHS legislation requires risks be eliminated so far as is reasonably practicable, and if they can’t be eliminated, reduced SFAIRP.  

This means that the focus of a risk timeline argument is always on solutions.

A risk timeline argument includes:

• A program to address each particular issue of concern over a specified timeframe

• A list of prioritised works; we at R2A would suggest based on safety criticality first

• Categorisation of potential controls in terms of short, medium and long term SFAIRP solutions or options

• Identification and recognition of opportunities to address known issues of concern during other works especially major upgrades.

The key of a risk timeline argument, however, is to make sure that:

• funding is available to start the program,

• works are underway, and that there is

• a realistic, believable program in place to achieve the desired results.

The management of credible critical issues of concern, even if rare, cannot be deferred indefinitely.

If you'd like to discuss risk timelines for your due diligence project, please contact us.

A while back, R2A had a blog entitled Precaution v Precaution wherein we wondered how the precautionary principle (derived from the 1992 Rio Convention) enunciated in the then Environmental Protection Act in Victoria compared to the SFAIRP approach of OHS/WHS legislation.

Well, we have the answer! In Victoria at any rate.

From 1 July 2021, SFAIRP is paramount. It is formally included in the Environmental Protection Act 2017. Victorians now have a duty to positively demonstrate due diligence for both safety and the environment.

Similar to the WHS/OHS Acts, Section 6 of the revised act states:

(1) A duty imposed on a person under this Act to minimise, so far as reasonably practicable, risks of harm to human health and the environment requires the person -

(a) to eliminate risks of harm to human health and the environment so far as reasonably practicable; and

(b) if it is not reasonably practicable to eliminate risks of harm to human health and the environment, to reduce those risks so far as reasonably practicable.

Section 18 describes the hierarchy of waste control:

Waste should be managed in accordance with the following order of preference, so far as reasonably practicable -

• avoidance;
• reuse;
• recycling;
• recovery of energy;
• containment;
• waste disposal.

Strangely, Section 20 retains the Rio Convention approach:

If there exist threats of serious or irreversible harm to human health or the environment, lack of full scientific certainty should not be used as a reason for postponing measures to prevent or minimise those threats.

Section 25 summarises a General Environmental Duty (GED):

A person who is engaging in an activity that may give rise to risks of harm to human health or the environment from pollution or waste must minimise those risks, so far as reasonably practicable.

In attempting to explain the significance of all this, it’s probably important to understand that this is actually a lawyers’ articulation of a principle of moral philosophyinitially inserted into the common law by the Brisbane born English law lord, Lord Atkin (Donoghue v Stevenson (1932), and which has subsequently flowed into Australian statute law:

The rule that you are to love your neighbour becomes in law you must not injure your neighbour; and the lawyer's question "Who is my neighbour?" receives a restricted reply. You must take reasonable care to avoid acts or omissions which you can reasonably foresee would be likely to injure your neighbour.

Who then in law is my neighbour? The answer seems to be persons who are so closely and directly affected by my act that I ought reasonably to have them in contemplation as being so affected when I am directing my mind to the acts or omissions which are called in question.

This is just the principle of reciprocity: do unto others as you would have done unto you.

With that understanding, much of the legal palaver becomes quite obvious.

In dam safety terms, for example, it asks the question:

 “If you lived downstream of a large dam, how would you expect the dam to be designed and managed in order to be safe?”

Even though the dam meets recognised good practice for design, operation and maintenance, if more could be done to make the dam safer at reasonable cost, ought that not be done?

After all, if the dam failed, and there was a simple cost-effective precaution that could have prevented the disaster, shouldn’t it have been done? And oughtn’t people who have lost loved ones be cranky with those who failed to do those reasonable things?

This is probably where this new SFAIRP approach has the greatest impact. It is no longer acceptable to say that you complied with an Australian or other standard.

Standards are just the starting point. You must do more if you reasonably can, a matter which will be forensically tested post-event.

Indeed, if you use a standard as the design tool, without testing if more can reasonably be done, you are probably already in breach of the legislation.

As Paul Wentworth, a partner in Minter Ellison put it in 2011:

… in the performance of any design, reliance on an Australian Standard does not relieve an engineer from a duty to exercise his or her skill and expertise.

If you would like to discuss how this may affect your organisation's obligations or due diligence in general, contact us for a chat.

R2A recently presented a free webinar; Why Hazops fail the SFAIRP test. It is one of the more frequently asked questions we receive as Due Diligence Engineers.

Hazops are a commonly used risk management technique, especially in the process industries. In some ways the name has become generic; in the sense that many use it as a safety sign-off review process prior to freezing the design, a bit like the way the English hoover the floor when they actually mean vacuum the floor.

Traditionally, Hazop (hazard and operability) studies are done by considering a particular element of a plant or process and testing it against a defined list of failures to see what the implications for the system as a whole might be. That is, they are bottom-up in nature and so provide a detailed technical insight into potential safety and operational issues of complex systems. They can certainly produce important results.

However, like many bottom-up techniques they have problems with identifying high-consequence common-cause and common-mode failures. This arises simply because the Hazop process is bottom-up in nature rather than top-down.

A detailed assessment of individual components or sub-systems like Hazops examine how that component or sub-system can fail under normal operating conditions.

Hazops do not examine how a catastrophic failure elsewhere (like a fire or explosion) might simultaneously affect this component or the others around it.

Such ‘knock-on’ effects are attempted to be addressed in Hazops by a series of general questions after the detailed review is completed, but it nevertheless remains difficult to use a Hazop to determine credible worst-case scenarios.

This is exacerbated by the use of schematics to functionally describe the plant or equipment being examined. Unless the analysis team has an excellent spatial / geographic understanding of the system being considered, it’s very hard to see what bits of equipment are being simultaneously affected by the blast, fire or toxic cloud.

This means that it is difficult to use a Hazop to determine credible worst-case scenarios and ensure SFAIRP has been robustly demonstrated for all credible, critical hazards.

For a limited time, you can watch the webinar recording of the presentation on Why Hazops cannot demonstrate SFAIRP here.

If you’d like to discuss any aspect of this article, your due diligence / risk management approaches, or how we can conudct an in-house briefing on a particular organisational due diligence issue, contact us for a chat.

the work we do: People as an ends, not means & Making a Difference

Last year’s extended Covid-19 lockdown in Victoria meant many in business reviewed what they do, how they do it and, ultimately, why they do it.

R2A, as a small firm of consulting engineers, has always had a business view that has seemed a little different to many we encounter. Whist we understand the need to be profitable, that has never been the primary motivation.

We have always felt that what we do must be worthwhile, not just to ourselves but for the people (our clients) for whom we do it.

Practically, if we can’t make sense of what we are being asked to do, we decline to keep doing it, to the very great surprise and puzzlement of well-paying customers.

The decision to reject a client and potentially put the business under serious financial stress does cause a certain introspection, and retest the proposition; why are we here and why are we doing it?

Ultimately, the reason is that we believe we make a difference.

That what R2A is and does improves the place, and, when we have likeminded clients, it’s a joy to do. And we get paid to do it. Such an understanding means that we want to get up and go to work.

It also has other flow on effects. In the philosopher Immanuel Kant’s terms, it means you treat people as ends in themselves, not merely a means to an end. This rejects traditional authoritarian hierarchical management styles.

Rather than telling people what to do and how to do it, you provide ‘pits of opportunity’ for them to fall into and see how they go. When it succeeds, results are outstanding and extraordinary. Focussed, effective enthusiasm abounds.

In this context, it may surprise some of our clients to know that R2A owns a small female PPE business, Apto PPE.

Apto is the result of Gaye’s involvement with the Women in Engineering Group at Engineers Australia and a collective frustration with being forced to wear ill-fitting scaled down men’s PPE onsite. The intention of the Apto business was to force the market to respond and deliver a better outcome for women in industry. This necessitated the design, manufacture and small-scale sale of tested superior women’s PPE garments in Australia.

For the most part this strategy has worked, although it appears that unless the pressure is sustained on the market, it will revert. To this end the R2A board has determined that R2A will continue to sponsor Apto until it becomes a self-sustaining business.

We make this decision continuing to align with why we’re in business; believing we’ll make a difference.

Gaye Francus & Richard Robinson

The adoption of the model WHS legislation in Australasia is now practically complete with the passing of the act by the Western Australian parliament.  Whilst yet to be proclaimed, the WA version includes criminal manslaughter provisions with a maximum penalty of 20 years for individuals.

Victoria is now formally the only state not to have adopted the model WHS Act, although this is practically inconsequential, as the due diligence concept to demonstrate SFAIRP (so far as is reasonably practicable) is embodied in the 2004 OHS Act, and the criminal manslaughter provisions of same commenced on the 1^st of July this year.

New Zealand adopted the model WHS legislation in the form of the Health and Safety at Work Act 2015. Judging by the number of commissions R2A has had in NZ in 2020, it has come as a bit of a surprise to many, particularly to those using the hazard-based approach of target levels of risk and safety such as ALARP (as low as reasonably practicable), that these have been completed superseded by the new legislation and cannot demonstrate safety due diligence.

New Zealand has not presently adopted the criminal manslaughter provisions being introduced into Australia, but it did include the significant penalties for recklessness (knew or made or let it happen) with up to 5 years jail for individuals.

In all Australasian jurisdictions, regulators appear prosecutorially active with a number of cases presently under investigation and before the courts. For example, the White Island volcano incident in New Zealand which killed 22. Ten parties and 3 individuals have been charged.

Perhaps what has surprised many in NZ is the observation by NZ Worksafe, that for critical (kill or maim) hazards like volcanic eruptions, it only has to be reasonably foreseeable, not actually have happened before. That is, the fact that the hazard has not occurred before is not sufficient to warrant not thinking about it any further.

All in all, due diligence has become endemic, to the point that it has become, in the philosopher Immanuel Kant’s terms, a categorical imperative.

That is, our parliamentarians and judges seem to have decided that due diligence is universal in its application and creates a moral justification for action. This also means the converse, that failure to act demands sanction against the failed decision maker, which is being increasingly tested in our courts.

One of the odder confusions that R2A happens upon is the proposition that the laws of man are always paramount in all circumstances. It seems to occur most often with persons who work exclusively in the financial sector.

From an engineering perspective, this is just plain wrong.

When dealing with the natural material spacetime universe, the laws of nature are always superior.

After some cogitation, we suspect that this confusion results from the substance of which the financial parties contend, specifically, money.

Sometime ago, over lunch with a banker out of Hong Kong, it was pointed out by R2A that money wasn’t real. The banker expressed surprise and asked what we meant by that. Our reply was that money does not exist in a state of nature. For example, it does not grow on trees. It is a human construct which prosperous societies apparently need to succeed, but of itself, is not directly subject to the laws of nature.

The banker’s response was to ask us not to mention this to anyone.

From this, we conclude that for financial people at least, compliance with legislation and regulations made under it that directly applies to the concept and use of money does demonstrate financial due diligence since the laws of nature are simply not relevant.

However, in the case of safety due diligence, just complying with the laws of man and ignoring the laws of nature will just end in disaster after disaster since the laws of nature are immutable.

To demonstrate safety due diligence requires that the laws of nature are understood and managed in a way that satisfies the laws of man – in that order. 

Remember that, legally, safety risk arises because of insufficient, inadequate or failed precautions, not because something is intrinsically hazardous.

For example, flying in a jet aircraft or getting into low earth orbit is intrinsically hazardous, but with enough precautions, it’s fine.

Leave a critical precaution out or let one fail and you will crash and burn. It’s inevitable.

Much the same has been happening with the Covid-19 crisis as discussed in our blog a few months ago (read article here).

Going directly to a political fix without understanding the science is going to hurt. Getting both right is necessary, but it has to be in the right sequence.

Overall, it’s always been no contest – the laws of nature have always trumped the laws of man, except when dealing with non-natural human constructs like money, debt and suchlike over which the laws of nature have no direct control.

Postscript: Risk, as a concept, has many of the same problems as money. It’s a human judgement about what might happen.

For example, consider the use of the popularly used heat map shown below.

Most users spot-the-dot to characterise the risk associated with a particular issue. But technically it is necessary to know the actual shape of the risk curve for that hazard (the wriggly line going from left to right) which is difficult for real spacetime hazards let alone human judgements of no-material constructs like money.

Strictly it’s also necessary to integrate the area under the risk curve (shown as the darkened area), which is never done. This just goes to show how flexible the concept of risk can be.

The rise of criminal manslaughter provisions in health and safety legislation, coupled with the registration of engineers in Queensland, New South Wales and Victoria, heralds a paradigm shift for engineers and the role of standards in Australian jurisdictions.

On July 2020, Victoria commenced the criminal manslaughter provisions of the 2004 OHS Act. Quoting the premier:

Workplace manslaughter is now a criminal offence in Victoria with tough new laws introduced by the Victorian Government coming into effect today.

Negligent employers now face fines of up to $16.5 million and individuals face up to 25 years in jail, sending a clear message to employers that putting lives at risk in the workplace will not be tolerated.

The new offence of workplace manslaughter will be investigated by WorkSafe Victoria, using their powers under the Occupational Health and Safety Act 2004.

The offence applies to employers, self-employed people and ‘officers’ of the employer. It also applies when an employer’s negligent conduct causes the death of a member of the public.

https://www.premier.vic.gov.au/wp-content/uploads/2020/07/200701-Victorian-Workplace-Manslaughter-Laws-Now-In-Effect.pdf 

The last sentence suggests that a faulty product that kills a member of the public caused by the negligence of a designer, manufacturer or supplier as an employer is also included.

By negligence, Worksafe Victoria means:

Voluntary and deliberate conduct is 'negligent' if it involves a great falling short of the standard of care that a reasonable person would have exercised in the circumstances and involves a high risk of death, serious injury or serious illness. It is a test that looks at what a reasonable person in the situation of the accused would have done in the circumstances. The test is based on existing common law principles in Victoria.

https://www.worksafe.vic.gov.au/victorias-new-workplace-manslaughter-offences

It is understood that these new provisions have been legislated consistent with the recommendations of the 2018 review of the model WHS legislation to enhance the Category 1 offence (Recommendation 23a) and to provide for industrial manslaughter (Recommendation 23b).

This extends the criminal provisions beyond the recklessness (knew or made or let it happen) provisions that had applied in some jurisdictions (notably Queensland and the ACT) to include negligence (what ought to have been known).

Taken in the context of the registration of engineersin Queensland (RPEQ) and impending registration of engineers in Victoria andNew South Wales, these duties are likely to become extraordinarily onerous forthose who hold themselves out to be technical experts in particular fields ofendeavour.

Historically,many engineers have relied on Australian Standards to be the arbiter ofrecognised good practice. Indeed, many standards were called up by statutemeaning that compliance was prescriptive, and that compliance-with-the-standardwas de rigueur.

But things have changed in the last two decades. Parliamentary counsels’ advice has been consistent that it’s not appropriate to derogate the power of parliament to unelected standards committees.

This observation, coupled with the less than successful management of major disasters ranging from bushfires to financial crises, culminating in numerous Royal Commissions and judicial investigations including child sexual abuse, misconduct in banking and finance, aged care, as well as bushfires, all indicate that more could have been done and that many ought to have done it.

It seems that the question to our parliamentarians became; how can we make decision makers (and designers responsible) for their decisions?

And theanswer seems to be that, rather than just being responsible at common law fornegligence (a matter for which insurance can be purchased), make themcriminally responsible by statute (but always excluding state and federalministers).

Note relevant legal opinion such as in an article in Engineers Australia Magazine of March 2009 (Page 38):

Engineers cannot avoid liability in negligence or for Trade Practices Act contravention by simply relying on a current or published standard or code.

Leigh Duthie, Phillipa Murphy and Angela Sevenson of Baker & McKenzie, Melbourne

And also:

Engineers should remember that in the eyes of the court, in the absence of any legislative or contractual requirement, an Australian Standard amounts only to an expert opinion about usual or recommended practice. Also, that in the performance of any design, reliance on an Australian Standard does not relieve an engineer from a duty to exercise his or her skill and expertise.

Paul Wentworth, Partner, Minter Ellison (28th March 2011)

So, following the recommendation of the Review of the model Work Health and Safety laws - Final report December 2018, criminal recklessness (knew of made or let it happen) and criminal negligence (ought to have known) is being rolled out with Victoria being the most recent that commenced on 1 July 2020.

One imagines that a creative lawyer would use such a statement to include the products of engineering endeavours, which in an advanced technological society means most things.

Under the Professional Engineers Registration Act 2019 (due to commence on 1 July 2021), registered engineers are also obliged to comply with approved codes of conduct which one imagines will also reinforce all of this.

Coroner's Finding into Dreamworld Thunder River Rapids

The death of four young people at Dreamworld in the Thunder River Rapids in October 2016 has brought the prospect of criminal prosecution of Directors for safety failures to the fore, or, as we say, Safety Due Diligence.

Press reports have indicated that the Queensland Government has accepted the Coroner's findings and referred the matter to the independent Work Health and Safety Prosecutor to decide whether action would be taken against Ardent, the owners of Dreamworld. Presumably such action would likely be criminal proceedings under Section 31 Reckless conduct—category 1 of the Qld WHS Act 2011.

Reckless Category 1 offences are usually summarised as ‘knew or made or let it happen’. Simply put, it asks:

Did the Board (especially the Chairman and Managing Director of the day) know of the issue and ensure that all reasonably practicable precautions were in place, or had they downplayed it and relied on ‘luck’?

Based on press reports, it seems as though the ride’s safety issue was a known problem and despite the expressed concerns of employees, it was basically ignored or, at least, not taken seriously.

Criminal offences must be proved ‘beyond reasonable doubt’ which is a very robust test.

To give a feeling for what it entails, the prosecution of a General Manager in ACT in 2015[1] provides insight.

In this case the Director of Public Prosecutions acted on behalf of Worksafe ACT. Essentially, Mr Munir AL-Hasani was charged as an Officer (General Manager) of Kenoss Constructions, a small family owned (husband and wife directors) road construction company. over the death of a contractor.

For the most part, the charges were proved. However, during the hearing it became clear that despite the title of general manager, Mr AL-Hasani did not have the right to hire or fire and could not commit corporate funds. Accordingly, Magistrate Walker was not satisfied that Mr AL-Hasani’s role, beyond reasonable doubt, rose to that of an Officer of the company and so the charge was dismissed.

Such a governance detail seems unlikely to apply to the Dreamworld case. The Chairman and Managing Director would appear to be Officers for the purposes of the legislation.

According to the Coroner, the issue was known to the organisation and some precautions, but not all reasonably practical precautions, were established.

From R2A’s perspective, this would seem to be a form of failure based on the well-known ‘Rumsfeld manoeuvre’ or an ‘unknown known’. That is, known to the organisation but unappreciated by decision makers.

Can this be proved beyond reasonable doubt in the Dreamworld case? We don’t know, but we suspect that it will be a close-run thing.

At R2A we had anticipated that the rise of such WHS safety imperatives was likely to cause the appointment of technologically savvy Directors; at least in high tech industries subject to high consequence-low likelihood events and in those jurisdictions where proven failure was criminal (initially Qld and ACT). But since then most other Australian jurisdictions have also adopted criminal manslaughter provisions.

All in all, what happens in Queensland next will certainly have the undivided attention of Directors and their safety due diligence processes. As it should.

If you'd like to learn more about R2A's Safety Due Diligence approach, you may be interested in watching our Safety Due Diligence webinar recording.

[1]Brett McKie v Munir AL-Hasani & Kenoss Contractors Pty Ltd (In Liq).Industrial Court of the Australian Capital Territory before her Honour IndustrialMagistrate Walker.

A fabulous array of material has emerged on government websites regarding the Coronavirus (COVID-19). Worksafe Australia has published an interesting article on the connection to WHS legislation. This emphasises that employers have a duty of care to eliminate or minimise risk, so far as is reasonably practicable (SFAIRP).

There then follows numerous precautions described in enormous and voluminous detail. In an attempt to cut to the chase, R2A decided to apply our usual precautionary approach to the whole thing to see if we clarify what all this means.

So far as we can tell, the core difficulty with the new coronavirus is that it is very, very contagious. Much more so than ordinary flu.

This means it will escalate with startling speed and easily overwhelm our medical resources unless stringent measures to reduce the infection rate are implemented.

To calculate the infection rate, a probabilistic epidemiological model appears to be being used, conceptually shown above. That is, all the individual transmission pathways may not be fully understood, but an overall probabilistic transmissivity model can be created.

From a statistical viewpoint, if enough people are involved, the predictions should be quite robust and is presumably the basis of our governments’ concerns.

Following the hierarchy of controls, the threat-barrier diagram above identifies the elimination option (a vaccine), the precautions such as isolation and infection control prior to the loss of control point and then the mitigation options including hospitalisation which act after the loss of control point.

However, from the perspective of any single infection, there will likely be a single causal chain of events, which can be interrupted in various ways, particularly following the hierarchy of controls enshrined in the WHS legislation.

Such an understanding enables SFAIRP to be demonstrated. There would be different sequences for different paths; family, hospitals, workplace, team sports and the like.

From an employer /employee perspective, we think the single line threat-barrier diagram shown above is a reasonable first cut.

If you'd like to learn more about our Safety Due Diligence approach, read our White Paper here.

Like you, we have been devastated by the recent bushfire events in Victoria, NSW and Queensland. We hope you have been able to stay safe and have not been directly affected. Richard and I have been reflecting on bushfires in history and if there are any key take away messages from a due diligence perspective.

Richard’s involvement with bushfire risk reviews commenced in the 1980s following the Ash Wednesday fires in Victoria. As part of a research project, Richard completed a threat and vulnerability assessment to see if there were any precautions that were missing from (then) current practices.

The outcome was that there were significant risk reduction benefits associated with improved town planning. This required the placement of huge fire breaks, such as golf courses and potato fields to the north and west of the town.

From the CFA website:

A change in wind direction is one of the most dangerous influences on fire behaviour. Many people who die in bushfires get caught during or after a wind change.

In Victoria, hot, dry winds typically come from the north and northwest and are often followed by a southwest wind change. In this situation the side of the fire can quickly become a much larger fire front.

Richard was then a member of the Powerline Bushfire Safety Taskforce that followed the Black Saturday fires in 2009.

My involvement continues on the Powerline Bushfire Safety Committee.

One of the key findings of the Black Saturday Royal Commission was that the majority of the fires were started by electrical assets and significantly contributed to the huge number of fatalities.

I am very proud to be involved in the roll out of REFCLs (Rapid Earth Fault Current Limiter) in Victoria, and their contribution to improving bushfire safety.  Data from a total fire ban day in November 2019, revealed that REFCLs on the electrical network are working to reduce the number of fire starts from electrical assets.

Although bushfires of this magnitude were a new occurrence for NSW in 2019/20, there are many learnings from past Victorian fires that can be applied.

And, it is interesting to compare the community’s response to cyclones in the north of Australia to community responses in bushfire prone areas.

Buildings in cyclone prone areas are subject to more stringent building codes and during cyclone warning periods. It’s typically practice for people living in those areas to go home and prepare their house. All loose items of furniture are removed or tied down, shutters are closed, and communities are generally shutdown.

The same does not occur for bushfires prone areas.

As due diligence engineers we ask the question is there anything more that can be done?

The focus should always be on precautions rather than mitigations and we should certainly learn from past experiences.

In light of these recent events, we have revisited our Safety Due Diligence White Paper and Powerline Bushfire Safety Taskforce Case Study. We hope you find them interesting and insightful.

Read our Safety Due Diligence White Paper

Read our Powerline Bushfire Safety Taskforce Case Study