Submissions for the Gas Supplementary Issues Paper on the review of Victoria’s electricity network safety framework closed on Friday 16 June. Along with the following organisations, R2A welcomed the opportunity to respond to the independent review.

• Australian Energy Market Operator
• Australian Energy Regulator
• Australian Gas Light Company
• Australian Gas Networks
• APA VTS
• Engineers Australia
• Jemena
• Multinet
• R2A

Our response focuses on the following particular aspects of the review:

• The objectives of the safety framework in Victoria and an assessment of its effectiveness in achieving safety outcomes.
• The extent to which the regulatory framework governing network safety ensures effective risk management by energy network businesses.

In particular the reliance on the traditional quantified risk assessment (QRA) and the ALARP (as low as reasonably practicable) approach using target risk criteria (tolerable or acceptable) by the gas and major hazard industries which has two primary difficulties:

• Arguable non-compliance with the provisions of the Gas Safety Act (1997) and OHS Act (2004), and,
• Disutility for land use (safety) planning that the QRA-ALARP-target-risk-criteria process facilitates.

Many of the points in R2A’s submission on the electricity networks also apply to the Victorian gas industry. Much of R2A’s submission on the electrical safety in Victoria is devoted to explaining why the legal presentation of SFAIRP (so far as is reasonably practicable) is not equivalent to ALARP (as low as reasonably practicable). This argument also applies to gas safety.Such an observation always generates commentary to the effect that major organisations like Standards Australia, NOPSEMA and the UK Health & Safety Executive (UK HSE) (a much-quoted source) say that it is.For example, WorkSafe Victoria’s information sheet[1] on land use planning near a major hazard facility states that operators of an MHF must reduce risk to the surrounding area so far as is reasonably practicable where it cannot be eliminated. However, it then goes on to say that WorkSafe believes it appropriate to present the extent of risk areas around a MHF as planning advisory areas:

1. Inner planning advisory area – the individual risk of fatality from potential foreseeable incidents is greater than or equal to 1 x 10^-7 per year (one chance in 10 million years).

These key points are expanded in the body of the submission together with a possible way forward. See the full response here.[1] https://www.worksafe.vic.gov.au/resources/land-use-planning-near-major-hazard-facility for current advice for Major Hazards land use planning from Worksafe Victoria (viewed 14 June 2017).

On 19 January 2017, the Minister for Energy, Environment and Climate Change announced an independent review of Victoria’s Electricity Network Safety Framework, to be chaired by Dr Paul Grimes. On 5 May 2017, the Minister announced an expansion to the review's terms of reference to include Victoria’s gas network safety framework.It has been more than a decade since the current safety framework has been in place and it is timely to review the existing arrangements to ensure they adequately reflect the needs of the community in an increasingly complex environment.The review will include extensive consultation with industry and the community to inform the development of a final report and recommendations.Consistent with the expanded terms of reference, the Review of Victoria’s Electricity and Gas Network Safety Framework examines the safety framework applicable to the electricity and gas networks in Victoria and assesses its effectiveness in achieving desired safety outcomes. It will review the design and adequacy of the safety regulatory obligations, incentives and other arrangements governing the safety of Victoria’s electricity and gas networks.The existing Secretariat established within the Department of Environment, Land, Water and Planning to support the independent reviewer, Dr Paul Grimes, has been additionally resourced.Submissions for the Issues Paper on the review of Victoria’s electricity network safety framework closed on Friday 28 April. Along with the following organisations, R2A welcomed the opportunity to respond to the independent review.

• AER
• AusNet Services
• Attentis Technology
• CitiPower/Powercor - Submission 1
• CitiPower/Powercor - Submission 2
• Energy and Water Ombudsman of Victoria
• Jemena
• Neca
• r2a
• United Energy
• WorkSafe

Our response focuses on the following particular aspects of the review:

• The objectives of the safety framework in Victoria and an assessment of its effectiveness in achieving safety outcomes.
• The design and adequacy of the safety regulatory obligations (including safety cases and the Electricity Safety Management Scheme), incentives and other arrangements governing energy network businesses and any opportunities for improvement.

R2A’s overall perception is that electrical networks in Australia and New Zealand operate in an evolving and interesting regulatory space with overlapping financial, safety and security of supply issues. There is also a plethora of sometimes contradictory standards. Wending a path that simultaneously satisfies all of the competing issues is complex and fraught with methodological superstition. This undoubtedly creates substantial unnecessary expense and waste.From the viewpoint of an effective safety framework, the key issues we believe are causing the greatest angst at the moment are as follows:

1. Competition v Cooperation PolicyThe mantra of competition policy is being considered in isolation from the rest of the competing requirements for the safe (and reliable) delivery of electrical energy. This includes both security of supply and safety generally, and especially in Victoria major bushfires started by the electricity network. For example, high reliability requires redundancy whereas commercial efficiency is typically achieved by running without headroom. The current manifestation of economic competition policy does not deal effectively with disaster scenarios (where cooperation is essential) especially for low likelihood, high consequence events, such as black or ash bushfire days which occur about once every 25 years in Victoria.
2. Risk Management Standard v Occupational Health and Safety LegislationThe obligations of Victoria’s Occupational Health and Safety (OHS) legislation conflict with the Risk Management Standard (ISO31000) which most corporates and governments mandate. This is creating very serious confusion, particularly with the understanding of economic regulators.The risk management standard tries to manage ‘risk’ to ‘acceptable’ levels, whereas the 2004 Victorian OHS Act (and now model WHS legislation) ensures that everyone is entitled to the same minimum level of protection (but not necessarily the same level of risk).
3. Network Standards with Internal ContradictionsStandards with internal contradictions like AS 5577:2013 – Electrical network safety management systems and the EG(0) Power System Earthing Guide create enormous tensions. Specifically, they advocate using target risk criteria such as ALARP, below which risks are deemed ‘tolerable’ and do not require further action, a position in conflict with the health and safety legislation passed by all Australian parliaments and decisions of the High Court of Australia.

These key points are expanded in the body of the submission together with a possible way forward. See the full response here.

We desire that our world be prosperous and safe. And it seems that due diligence has become essential to these outcomes. Due diligence (or care) is a legal concept, derived from the societal need to ensure fairness in dealings between human beings. It has been variously defined, for example:

The diligence reasonably expected from, and ordinarily exercised by, a person who seeks to satisfy a legal requirement or obligation¹ and,A minimum standard of behaviour which provides against contravention of relevant regulatory provisions and adequate supervision ensuring that the system is properly carried out.²

Such legal obligations can be created by statute law, for example the Model Work Health and Safety Act (2011)³ or from the common law as a defence against negligence⁴.Engineering due diligence is all about ensuring that the laws of nature and the laws of man simultaneously align. Sometimes this really does require moral courage and persistence.Risk, and its close cousin reliability, are not scientific concepts. Certainly there are elements like consequence modelling that are scientific. But the reason why things go wrong is more to do with human confusion or greed rather than a misunderstanding of the science.Taking chances (risks?) to advance the human cause (and yes, make money) must be encouraged – but doing it recklessly and endangering others - should be discouraged. The solution is due diligence, not risk management.

¹Black’s Law Dictionary, 4th Edition (2009)

²LexisNexis Concise Australian Legal Dictionary, 4th Edition (2011)

^{3 Risk & Reliability - Engineering Due Diligence (9th edition)}

^{4 Risk & Reliability - Engineering Due Diligence (9th edition)}

Risk management is a key element required in large infrastructure development projects. Organisations want a robust and transparent system that can be utilised during current and future development phases of a project to inform decision-making and guide levels of investment in various project investigations.

In setting up a risk management framework for a project it is essential that it take account of all risks to Project including technical, environmental, economic, stakeholder, political delivery and on-going operational considerations.  This must be done in the context of the current operations.

The risk management framework and system must be set up so that the Organisation has confidence in the process and results, ownership of the outcomes and can maintain and utilise the system going forward.  It must be set up to ensure that the project is right the first time.

To ensure the project is successful in terms of both delivery and ultimate project performance, R2A has developed a project due diligence methodology.

This differs from the traditional project risk management approach.

Traditional project risk management isn’t always as successful as desired especially in the eyes of the government when it comes to delivering large projects.  This is because it does not view the project from finish to start.  It typically only refers to the management of project uncertainty during the construction phase (tendering to commissioning) as shown in the diagram below.  This short sightedness is the cause of many delays and budget / cost blowouts as well as not achieving the ultimate goals of the project.

Project due diligence refers to the consideration of risk over the entire project life cycle.  The due diligence aspect arises from confirming that the ultimate objectives (critical success factors) of the fully functioning outcomes are achieved for all stakeholders rather than just the delivery portion to the contract specification.

Project due diligence uses a combination of top down and bottom up risk techniques and generally involves two main tasks: a high level functional vulnerability assessment and associated risk profiling supported by specific detailed bottom up reviews.  The overall concept can be described by the following figure.  Sometimes an intermediate assessment is also required to deal with issues on a geographic or zonal basis, especially for infrastructure projects.

The benefits of the project due diligence approach are:

1. 1. The project critical success factors in terms of performance are identified and articulated by the Organisation long term.  This ensures all risk work (current and future) is completed in the decision maker’s context.
   2. The project is able to focus on the credible critical threats to both project performance (the owner’s concerns) and project delivery (the contractor’s concerns).
   3. The Organisation has a confidence that all potential project show stoppers have been identified and are being effectively managed.
   4. Project scoping and sub-project planning is optimised before tendering / detailed design.
   5. Value adding opportunities are identified during the planning stages.
   6. The project does not experience unexpected issues.

1. The potential for continual blowouts in terms of cost and time in minimised.
2. A succinct and manageable risk register is developed.

This ensures the organisation has confidence in the risk management process and results and will help to ensure that the project is right the first time.

For further information on we can help your organisation with your project's due diligence using engineering methodologies, contact us on 1300 772 333 or fill in our contact form and we'll be in touch.

With the paradigm shift occurring to precautionary risk assessment from hazard-based risk assessment, R2A have heard a number of discussions suggesting that if an organisation demonstrates ALARP (as low as reasonably practicable) then can also demonstrate due diligence.

R2A’s opinion is that this may not necessarily be the case. The concept of ALARP is in fact hazard focused, comparing risk (likelihood and consequence) to acceptable or tolerable target levels of risk and safety.  The use of such quantified risk assessment processes to satisfy target (tolerable or acceptable) risk criteria has never been able to satisfy post event common law scrutiny in Australia, which requires a demonstration of due diligence.

However, many industries that use the ALARP principle currently appear to be redefining its meaning by adding a number of caveats in what appears to be an attempt to close the due diligence loop and satisfy the courts after an event.  The shift from hazard based risk assessment to due diligence is shown in the diagram below.

Common law vs. target risk approaches to risk management

The notes in blue in the diagram describe the several difficulties associated with the target risk approach.

Firstly, hazard analysis and risk calculations are inherently unrepeatable.  Two independent risk experts assessing the same circumstances or situation never come up the same numerical answer (unless they use deliberately identical assumptions and processes in which case the assessment is not independent).  QRA risk calculations are always imperfect especially with regard to human failings and management systems.  Quoting Mark Tweeddale (2003):

“In the case of the process industry, most of the major disasters in recent years have resulted primarily from failures of management systems, which would not have been included in the quantitative assessment of risk, and not from random equipment failures such as are statistically assessable using data from data banks.  This is a most serious limitation...”

Secondly, risk criteria are subjective.  The old adage should probably be extended to; there are lies, damned lies, statistics and then there are target risk criteria.  Most risk criteria are based on statistical analyses.  The traditional way to determine them is to consider mortality statistics.  But they are just that, statistics.  The numbers change according to the exposed group selected.  For example, the lightning strike death rate of around 1 in 10 million (for the whole population) is often selected as the lower limit to risk scrutiny.  However, if the mortality figures for the group of people who play golf during lightning storms are considered, it will be much higher.  Which number ought to be used?

Further, the inconsistency in individual and societal risk criteria between states, especially Victoria and NSW dating from the mid-nineties is problematic.  The flexible choice of societal risk criteria for the land use planning criteria by NSW Department of Planning (DoP) for the Kurnell Peninsula QRA in the 2007 study is seriously problematic.

Thirdly, if the risk associated with a hazard is below acceptable or tolerable threshold, there is a tendency to say that nothing further needs to be done, which is always problematic with low frequency, high severity events.  This leads to the fourth concern, which the temptation is to implement a precaution that reaches the target threshold without formally considering the hierarchy of controls.

Therefore, it is my opinion that to demonstrate that ALARP is the same as due diligence is indeed complex and is prone to a tortuous, error prone path.

Thoughts on AS/NZS ISO 31000

In Australia, we are currently undergoing a paradigm shift in the way safety risk management is conducted. The new Work Health & Safety Act is replacing the old approach typified by the standard, AS/NZS ISO 31000.

We have heard conversation in the Engineering community that the move away from AS/NZS ISO 31000 doesn’t necessarily it present a better way forward and the standard can in fact demonstrate safety due diligence.  R2A does not share this view.

The key issue arises from the use of the notion of target (tolerable or acceptable) levels of risk.  The standard is quite specific in the definitions and process explanations:

2.24 risk evaluationprocess of comparing the results of risk analysis (2.21) with risk criteria (2.22) to determine whether the risk (2.1) and/or its magnitude is acceptable or tolerable

5.4.4 risk evaluationRisk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered. Based on this comparison, the need for treatment can be considered.

The section on the treatment options is more careful.

5.5.2 Selection of risk treatment optionsSelecting the most appropriate risk treatment option involves balancing the costs and efforts of implementation against the benefits derived, with regard to legal, regulatory, and other requirements such as social responsibility and the protection of the natural environment. Decisions should also take into account risks, which can warrant risk treatment that is not justifiable on economic grounds, e.g. severe (high negative consequence) but rare (low likelihood) risks.

The point of the new due diligence approach is to deal with the severe safety (high negative consequence) but rare events.  The standard seems to suggest that this is a supplementary risk management concern, not a primary focus.

Unfortunately by following the standard for safety risk management, businesses may in fact be heading towards a ‘beyond reasonable doubt’ proof of recklessness in the event of a serious injury or death, which potentially creates criminal liabilities for responsible officers under the provisions of the new WHS Act.

R2A has described on a number of occasions how the standard fails.  In particular, RES 2010 regarding the use of iso-risk contours for Major Hazards land use safety planning after the Buncefield incident, CORE 2010 regarding rock falls in rail cuttings and the Tunnel Conference in Lyon.

At R2A, we are excited by the paradigm change and believe it is a better way forward.  Please drop us a line if you have any questions.

Questions & Answers

Reader response regarding Richard's article - 'Engineering Implications of the Harmonised Safety Legislation'

This is a response that Richard received following the publication of an article in Engineering Media. Read the article here.

Hi Richard

Safety assurance is one of the 3 key elements of technical integrity (the other elements being fitness-for-service and environmental compliance), and as such risk assessments are a fundamental and important part of our engineering activities.

Your recent article in the January 2012 edition of the Engineers Australia magazine was a very interesting read, and has generated numerous discussions amongst my engineering colleagues. Thus, I am seeking some clarification on a number of statements made in your article, as follows:

Reader question –

Your article suggests that the 5 x 5 risk assessments matrix approach developed under the AS/NZS 4360 or AS/NZS ISO 31000 are fundamentally flawed under the due diligence requirements of the new harmonised safety legislation.

I have a difficulty in accepting this argument in the way that we currently conduct our risk assessments utilising the ISO 31000 standard and a tailored 5 x 5 risk matrix, as follows:

1. Hazards/risks are identified.
2. Qualitative (and sometimes quantitative) criteria for likelihood and consequences (for safety, performance and environment) are defined against which a risk level (untreated) is determined from a 5 x 5 matrix (i.e. low, medium, high, extreme). Qualified Objective Quality Evidence (OQE), rather than subjective opinion normally supports this assessment.
3. Subsequently, a risk mitigation activity is conducted in order to determine credible and precautionary risk mitigation strategies. The mitigation strategies are normally based on a Hierarchy of Controls (safety) approach to ensure that the level of effort (e.g. cost, schedule, resources, redesign, etc) is balanced and commensurate with the level of identified risk.
4. Thus, risk mitigation (or treatment) strategies are developed and proposed for implementation, and a subsequent residual (i.e. treated) level of risk is determined. Mitigations can include, for example; redesign, restrictions, additional training, warning/cautions in technical documentation/manuals, etc. In addition, these risk assessments are actively managed and reviewed.
5. The residual risk is then presented to the 'customer' (or executive authorities) for consideration for acceptance. Noting that the risk assessments we conduct are technical risk assessments, which are conducted by competent technical staff in consultation with relevant stakeholders (e.g. equipment users/operators, maintainers, trainers, etc).
6. Acceptance of the technical risks are then considered for acceptance by the relevant authority while balancing all other risks (e.g. operational, schedule, budget, etc).

Not sure I understand your arguments in the reference EA article, thus, seek your clarification as to how the above process which uses the 5 x 5 risk matrix based on AS/NZS ISO 31000 is considered flawed? Please clarify.

Richard response –

Originally the 5 x 5 matrix approach was derived from US and UK military standards in the 70s. At that time it appears to have been used as a reporting tool for military personnel to explain by exception the issues of concern in the value system of their decision makers. More recently, and especially by accounting and management firms, it has been used as a corporate risk decision criteria tool, especially in the sense that once the dot made it to the green area, no further risk reduction was required. This never satisfied the common law.

You sound like you are using it more in the original military sense. As a reporting tool, its use has always been fine.

Reader question –

By risk criteria, do you mean 'the acceptance of risk criteria'?

Richard response –

Yes. The notion of tolerable or target levels of risk.

Reader question –

Does acceptable risk criteria under the new laws actually mean 'so far as is reasonably practicable (SFARP)'?

If we can achieve SFARP, regardless of whether the residual risk is medium, high, etc, (i.e. provided the level of effort required to reduce the risk to SFARP is balanced and commensurate with the significance of the risk) then is due diligence not demonstrated?

Richard response –

SFARP may mean this. I'm not a lawyer. I avoid the term (and ALARP for that matter), as the final test will be in court, post event, judged to the common law duty of care. So I use the High Court's understanding of that duty and how this court expects it to be demonstrated.

Reader question –

Do you believe that the SFARP principle of common sense precautionary approach on risk reduction replaces the doctrine of risk tolerability (such as ALARP principle) or complements the efforts already accomplished in managing the risk of 'actual harm'?

Richard response –

Yes. The common law precautionary approach replaces the doctrine of tolerable or acceptable risk.

FYI - I have briefed the senior counsel for Defence in this whole matter (the OHS partner in Blake Dawson in Sydney) and he volunteered that the approach I mentioned in that article would demonstrate due diligence under the model act.