Implications for Designers of the Engineers Australia
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline (3rd Edition) Gaye Francis and Richard Robinson Directors, R2A Due Diligence Engineers Introduction The 3rd Revision of the Engineers Australia Safety Case Guideline is in draft form. It extends the precautionary common law safety case concept of the two earlier editions (2002 and 2007) to consider how the safety case can be used as a tool to positively demonstrate safety due diligence consistent with the provisions of the model Work Health and Safety (WHS) legislation that has commenced all Australian jurisdictions except, at the time of writing, Western Australia and Victoria. The Guideline outlines the shift from hazard based risk assessment supported by the risk management standard to the precautionary due diligence approach now mandated by most Australian parliaments. Such a change has significant implications for designers, especially in the use of standards that use target levels of risk and safety such as EG(0) Power System Earthing Guide and IEC 61508 the Functional Safety Assessment standard as a design tool. Any design that relies on a process that is specifically rejected by statute will provide for serious legal difficulties. And in the event of a fatality, a beyond reasonable doubt proof of recklessness would be available, which is expected to lead to criminal charges for responsible officers of designer PCBUs (person conducting a business or undertaking). Much of the subject of this paper was also presented in an IDC 2011 conference1 before the commencement of the WHS act in Australian jurisdictions. The authors have since tested the position described in this paper with many lawyers and in-house legal counsel, to the unanimous approval of them all. 1 Gaye E Francis and Richard M Robinson (2011). Power Safety Due Diligence. Proceedings of the IDC “Power System Protection & Earthing Forum“. Perth. 23-24 November 2011. 2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies 1
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline System of Law in Australia There are two basic kinds of laws in Australia: statute law, which is made by a Parliament consisting of democratically elected members, and common law, which is law made by judges when deciding cases2. Statute law (also called legislation) may be made by the Commonwealth Parliament, or by the Parliament of a State or Territory. Common law has its origins in England in the 12th century, before there was any Parliament in England, when the King of England at that time (Henry II) appointed members of his court to hear complaints and do justice on his behalf. Judges making decisions drew on their notions of justice or fairness, sometimes customs or traditions, sometimes Roman law. Reasons for judges’ decisions were recorded, and this body of case law, known as the common law, became the most important source of law for judges. In time, judges considered themselves to be bound to follow the precedents set by other judges in earlier cases. The High Court of Australia is the highest court in the Australian judicial system. It was established in 1901 by Section 71 of the Constitution3. The functions of the High Court are to interpret and apply the law of Australia; to decide cases of special federal significance including challenges to the constitutional validity of laws and to hear appeals, by special leave, from Federal, State and Territory courts. Australia inherited the common law system from the UK. And with the passage of the Australia Acts of the1980s eliminating appeals to the Privy Council, the High Court of Australia become the ultimate ‘reference’ for Australian case law. In Australia court cases are conducted under the adversarial system in which the court is asked to adjudicate upon ‘issues’ put forward by the parties upon evidence adduced by the parties. The presiding judge has no power of inquiry (the ‘inquisitorial system’), unlike courts in parts of Europe4. There are several points about the adversarial system that need to be remembered. It is first and foremost a court of law. And the courts are always right even when they are in error as the decisions of appellate courts reveal. And, as the Engineers Australia notes in the brochure Are You at Risk5 (1990): Adversarial courts are not about dispensing justice, they are about winning actions. In this context, the advocates are not concerned with presenting the court with all the information that might be relevant to the case. Quite the reverse, each seeks to exclude information considered to be unhelpful to their side's position. 2 Adapted from: http://www.austlii.edu.au/au/other/liac/hot_topic/hottopic/2002/3/1.html viewed 5 April 2013. 3 Adapted from: http://www.hcourt.gov.au/about/role-of-the-high-court viewed 28 April 2013. 4 http://www.nswbar.asn.au/docs/resources/publications/structure.pdf viewed 5 April 2013. 5 Institution of Engineers, Australia (1990). Are You at Risk? Canberra. 2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies 2
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline The idea is that the truth lies somewhere between the competing positions of the advocates. Further, courts do not deal in facts, they deal in opinions. Again from Are You at Risk: What is a fact? Is it what actually happened between Sensible and Smart? Most emphatically not. At best, it is only what the trial court - the trial judge or jury - thinks happened. What the trial court thinks happened may, however, be hopelessly incorrect. But that does not matter - legally speaking. That is, in court, the laws of man take precedence over the laws of nature6, which can be particularly astonishing to engineers. In the adversarial system innocence must be assumed or there is no case to try. If the defendant pleads guilty, for example, the case stops immediately other than for the determination of the penalty. Engineering Due Diligence Due diligence (or care) is a legal concept, derived from the societal need to ensure fairness in dealings between human beings. It has been variously defined, for example: The diligence reasonably expected from, and ordinarily exercised by, a person who seeks to satisfy a legal requirement or obligation7 and, A minimum standard of behaviour which provides against contravention of relevant regulatory provisions and adequate supervision ensuring that the system is properly carried out.8 Such legal obligations can be created in the common law or by statute law as has occurred with the commencement of the Model Work Health and Safety (WHS) Act (2011) in most Australian jurisdictions. One immediate reaction to such a definition is to institute a legal and regulatory compliance audit. The difficulty with this approach to safety (meaning a lack of harm) is that in a complex industrial society mere compliance with legislation and all the regulations made by regulators under such legislation will not necessarily make any particular situation or circumstance safe in reality. To be safe requires that the laws of nature be managed competently prior to compliance with the laws of man. 6 For example, in Turner vs The State of South Australia (1982) (HCA), the judges in the High Court of Australia, when discussing why a lower court might have come to a particular judgement noted that: It is possible that their Honours were also influenced by the opinion of an orthopaedic surgeon, Mr Jose, that the upward force to required to raise a 400 lb drum from the prone to the upright position was 400 lbs. That evidence which was set out in the judgement of Williams J at the first instance is plainly mistaken. The upward force required to up-end a drum, with the bottom rim remaining on the ground, is an initial force of approximately 200 lbs which progressively decreases as the top end is raised. 7 th Black’s Law Dictionary, 4 Edition (2009) 8 th LexisNexis Concise Australian Legal Dictionary, 4 Edition (2011) 2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies 3
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline Engineering due diligence is about overcoming this practical difficulty by ensuring that the laws of nature and the laws of man simultaneously align. Logically and practically, in order to be safe, it is better to manage the laws of nature first and then to confirm that the requirements of the laws of man have been met, rather than the other way around. Common Law Due Diligence Due diligence has been a primary defence against the tort (or wrong) of negligence in the common law. In this context, what constitutes due diligence in Australian case law has been established in a decision of the High Court of Australia. In an appeal to the High Court from the Court of Appeal of the Supreme Court of NSW9, Stephen J noted: This appeal involves interpretation of the Hague Rules. During heavy weather in the Great Australian Bight, the severity of which was unusual but not unforeseeable, a number of drums of cleaning solvent stowed in a ship's hold broke adrift, were damaged and their contents lost. The means of securing them in place in the hold had been inadequate. Under the Hague Rules (to which Australia is a signatory), Article IV Rights and Immunities states: 1. Neither the carrier nor the ship shall be liable for loss or damage arising or resulting from unseaworthiness unless caused by want of due diligence on the part of the carrier to make the ship seaworthy, and to secure that the ship is properly manned, equipped and supplied... Whenever loss or damage has resulted from unseaworthiness, the burden of proving the exercise of due diligence shall be on the carrier or other person claiming exemption under the section. Reynolds J.A. summed up the conclusion of the Court of Appeal of the Supreme Court of NSW in the following words: Loss or damage does not arise or result from perils of the sea where negligence is a concurrent cause. Where negligence allows or facilitates the perils of the sea to inflict damage on cargo, then in all relevant respects the loss or damage arises or results from the negligence. The perils of the sea must be guarded against by the use of due care. The judges of the High Court unanimously dismissed an appeal to the High Court and supported the view of the NSW Court of Appeal summarised by Reynolds J.A. above. And when 10 superior court judges unanimously agree on a particular point then this is robust case law and unlikely to change in the near future. 9Shipping Corporation of India Ltd v Gamlen Chemical Co. A/Asia Pty Ltd [1980] HCA 51; (1980) 147 CLR (12 December 1980) 2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies 4
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline Model WHS Act (Statutory) Due Diligence The model WHS Act10 has commenced in most Australian jurisdictions, presently excepting Western Australia and Victoria. The act requires that responsible officers of PCBU’s (persons conducting a business or undertaking) to positively demonstrate safety due diligence. Penalties are criminal in nature and can provide for up to 5 years jail for responsible officers for recklessness (knew or made or let it happen). These responsibilities cannot be delegated, although as a statutory invocation, such charges must be proved beyond reasonable doubt. The meaning of due diligence is considered in Part 2, Division 4 (27) of the model WHS Act: (5) In this section, due diligence includes taking reasonable steps: (a) to acquire and keep up-to-date knowledge of work health and safety matters; and (b) to gain an understanding of the nature of the operations of the business or undertaking of the person conducting the business or undertaking and generally of the hazards and risks associated with those operations; and (c) to ensure that the person conducting the business or undertaking has available for use, and uses, appropriate resources and processes to eliminate or minimise risks to health and safety from work carried out as part of the conduct of the business or undertaking; and (d) to ensure that the person conducting the business or undertaking has appropriate processes for receiving and considering information regarding incidents, hazards and risks and responding in a timely way to that information; and (e) to ensure that the person conducting the business or undertaking has, and implements, processes for complying with any duty or obligation of the person conducting the business or undertaking under this Act; and (f) to verify the provision and use of the resources and processes referred to in paragraphs (c) to (e). The first approved draft of the model act left due diligence to be determined by case law. The next cut defined due diligence to be the six points listed above. The third and subsequent revisions advised that due diligence includes... these six points. This single word change is perhaps significant. For example, the Workcover NSW 11 authority advises that, exercising due diligence includes, but is not 10 Model Work Health and Safety Act (revised draft 23 June 2011) as viewed at http://www.safeworkaustralia.gov.au/sites/swa/about/publications/pages/model-work-health-safety-act-23- june- 2011 on 5 April 2013. Note that each jurisdiction has implemented the legislation slightly differently although the general principles remain consistent. For example, the NSW uniquely imposes strict liability (Clause 12A). 11 WorkCover NSW, http://www.workcover.nsw.gov.au/newlegislation2012/Directorsandofficers/Pages/Duediligence.aspx, viewed 19 Oct 2012. 2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies 5
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline limited to: the six points listed above. The Australian government has provided the following definition in “Guidance for Officers in Exercising Due Diligence”12 under the WHS act: Due diligence – in the context of work health and safety – means taking every precaution that is reasonable in the circumstances to protect the health, safety and welfare of all workers and others who could be put at risk from work carried out as part of the business or undertaking. Reasonably Practicable According to the model WHS Act (Part 2, Division 1, Section 17) A duty imposed on a person to ensure health and safety requires the person: (a) to eliminate risks to health and safety, so far as is reasonably practicable; and (b) if it is not reasonably practicable to eliminate risks to health and safety, to minimise those risks so far as is reasonably practicable. The meaning of reasonably practicable is defined in Subdivision 2: 18 What is reasonably practicable in ensuring health and safety? In this Act, reasonably practicable, in relation to a duty to ensure health and safety, means that which is, or was at a particular time, reasonably able to be done in relation to ensuring health and safety, taking into account and weighing up all relevant matters including: (a) the likelihood of the hazard or the risk concerned occurring; and (b) the degree of harm that might result from the hazard or the risk; and (c) what the person concerned knows, or ought reasonably to know, about: (i)the hazard or the risk; and (ii)ways of eliminating or minimising the risk; and (d) the availability and suitability of ways to eliminate or minimise the risk; and (e) after assessing the extent of the risk and the available ways of eliminating or minimising the risk, the cost associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk. In other words (quoting Barry Sherriff13, one of the lawyers who helped draft the legislation), the model WHS Act: Simply makes clear that you start with what can be done and only do less where it is reasonable to do so. 12 Guidance for Officers in Exercising Due Diligence, Australian government, http://www.comcare.gov.au/WHS/guidance_and_resources/guidance/guidance_for_officers_in_exercising _due_diligence/due_diligencewhere_to_start_and_what_does_it_mean_to_you viewed 1 April 2013. 13 Barry Sherriff (March 2011) from a presentation to Engineers Australia, Brisbane. 2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies 6
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline Hazard to precaution based risk management The traditional way to address safety risk is to: • Identify the hazards • Characterise the risk (likelihood and consequence) associated with each hazard • Compare this risk to tolerable or acceptable risk criteria or targets • If the criteria are not satisfied, then to implement controls (precautions or mitigations) until they are. Such an approach has never satisfied common law judicial scrutiny. The diagram below shows the difference between the two approaches, especially for high consequence, low likelihood events. The top loop describes the traditional hazard focused analysis listed above. If the technical risk target were achieved in reality, the hazards of concern would not eventuate in the analyst’s lifetime. But this is not the way of the world. Sometimes bad things will happen and the courts will examine the results. Hazard focussed Technical risk targets Future uncertainty Decision re hazard Unwanted Event/s Judgement Time Future uncertainty Safety critical Judicial Scrutiny Precaution focussed Hazard vs Precaution focussed risk management14 The bottom loop describes the precautionary legal process applied by the courts. This is necessarily hindsight biased. The courts simply do not care how often matters went well. By definition, the courts only examine the minority of things that went wrong. After the event, the fact is certain. This means that, from the court’s viewpoint, prior-to-the-event estimates of rarity for serious events were presumably flawed and that, prima facie, those who made such estimates have provided beyond-reasonable doubt proof of negligence. As a judge in NSW has been reported as saying to engineers after a major accident: What do you mean you did not think it could happen? There are 7 dead. 14Robinson Richard M, Gaye E Francis, Peter Hurley et al (2013). Risk and Reliability: Engineering Due th Diligence (9 Edition). R2A Pty Ltd. Page 26 2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies 7
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline The way the courts assess the situation is to consult post-event expert witnesses as to what could have been done to have prevented the disaster. Being an expert with the advantage of hindsight is a comparatively straight forward task. The only time the notion of risk is used in court is when the court is testing to see if the precautions suggested by such experts (after the event) were reasonable in view of what was known at the time of the decision. SFAIRP vs ALARP The diagram below describes the two approaches in a different way. The left hand side of the loop describes the legal approach which results in risk being eliminated or minimised so far as is reasonably practicable (SFAIRP) as described in the model WHS legislation. Common law approach Hazard identification Target risk approach (precaution based and criticality driven) (Foreseeability) (hazard based and risk driven) Criticality Establish critical Hazard analysis and risk calculation hazards process to determine the nature of risk and the level of risk Preventability (inherently unrepeatable) Identify all practicable precautions for each critical hazard following the hierarchy of controls Selected risk criteria terms of reference against which the significance of a risk is evaluated (inherently subjective) Risk Management Reasonableness of downside (negative or pure) risk Determine which practicable Compare against criteria precautions are reasonable process of comparing the results of risk based on the High Court analysis with risk criteria to determine whether established balance the risk and/or its magnitude is acceptable (disproportionality) (may eliminate further consideration of acceptable or tolerable risks) Implementation of reasonably practicable Risk mitigation and management options precautions SFAIRP ALARP process to modify risk. (may not follow the hierarchy of controls) Monitoring and Review (Quality assurance) Due Diligence Precaution vs hazard based approaches to risk management15 The hazard based loop, shown on the right hand side, attempts to demonstrate that risk is as low as reasonably practicable or ALARP. But there are major difficulties with each step of this approach as noted in blue. Firstly, hazard analysis and risk calculations are inherently unrepeatable. Two independent risk experts assessing the same circumstances or situation never come up with the same answer (unless they use deliberately identical assumptions and processes in which case the assessment is not independent). 15Robinson Richard M, Gaye E Francis, Peter Hurley et al (2013). Risk and Reliability: Engineering Due th Diligence (9 Edition). R2A Pty Ltd. Page 167. 2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies 8
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline Risk calculations and characterisations to enable a comparison with risk criteria are always imperfect especially with regard to human failings and management systems. Quoting Mark Tweeddale16: In the case of the process industry, most of the major disasters in recent years have resulted primarily from failures of management systems, which would not have been included in the quantitative assessment of risk, and not from random equipment failures such as are statistically assessable using data from data banks. This is a most serious limitation... Secondly, risk criteria are subjective. The old adage should probably be extended to; there are lies, damned lies, statistics and then there are target risk criteria. Most risk criteria are based on statistical analyses. The traditional way to determine them is to consider mortality and injury statistics. But they are just that, statistics. The numbers change according to the exposed group selected. For example, the lightning strike death rate of around 1 in 10 million (for the whole population) is often selected as the lower limit to risk scrutiny for individual risk. However, if the mortality figures for the group of people who play golf during lightning storms is considered, it will be much higher. Which number ought to be used? Further, the inconsistency in individual and societal risk criteria between states, especially Victoria and NSW dating from the mid- nineties is problematic. Thirdly, if the risk associated with a hazard is below acceptable or tolerable threshold, there is a tendency to say that nothing further needs to be done, which is always problematic with low frequency, high severity events. The overall situation is perhaps best summarised by Chief Justice Gibbs of the High Court of Australia17: Where it is possible to guard against a foreseeable risk, which, though perhaps not great, nevertheless cannot be called remote or fanciful, by adopting a means, which involves little difficulty or expense, the failure to adopt such means will in general be negligent. That is, it does not matter how low the risk estimate is, if more can be done for very little effort, then the failure to do so will be negligent, in the event of an incident This leads to the fourth concern; that the temptation is to implement a precaution that reaches the target risk threshold without formally considering the hierarchy of controls. 16 Tweeddale, M., 2003. Managing Risk and Reliability of Process Plants. Boston: Gulf Professional Publishing. 17 Turner v. The State of South Australia (1982) High Court of Australia before Gibbs CJ, Murphy, Brennan, Deane and Dawson JJ). 2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies 9
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline The hazard based approach seems to address its legal limitations with regard to mitigations by adding caveats, for example from the NSW Land Use Safety Planning Guidelines18: While it is useful to have objective, quantitative risk criteria, qualitative principles are equally important. These include: 1. all ‘avoidable’ risks should be avoided; 2. particular attention needs to be given to eliminating or reducing major hazards, irrespective of whether numerical criteria are met; and 3. as far as possible, the consequences of significant events should be kept within facility boundaries. The legal system (which requires a demonstration of due diligence following the left hand side of the diagram) does not have this problem. As Andrew Hopkins19 notes: At law, employers must drive down risks as far as is reasonably practicable, and there is no level of risk which, a priori, can be said to be acceptable. Moreover, the law has a well-defined set of principles for determining whether risks are as low as reasonably practicable, and despite the indeterminacy of these principles, it is by no means clear that QRA and the tolerability / acceptability framework offers a better way of deciding how low is low enough. All this was not a legal issue whilst relevant statute law enabled the hazard based approach, as statute law always takes precedence over the common law. However, once the legal concept of due diligence is called up by statute via the model WHS act the issue can no longer be side stepped. The point of the shift is to ensure that all reasonable practicable precautions are in place rather than to achieve an indefensible tolerable or acceptable level of risk or safety, which is a typical result of the hazard based approach. As Carveth Read20 put it in 1898: It is better to be vaguely right than exactly wrong. 18 NSW Department of Planning (2011). HIPAP 4: Risk Criteria for Land Use Safety Planning. Page 3. Downloaded 5 April 2013 from: http://www.planning.nsw.gov.au/LinkClick.aspx?fileticket=mEA7owrSNTg%3d&tabid=168&language=en- AU. 19 Andrew Hopkins (2005). Safety, Culture and Risk. The Organisational Causes of Disasters. CCH Australia. p 137. 20 Carveth Read, Logic, deductive and inductive (1898). Earthing, Bonding & Surge Protection – IDC Technologies 10
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline Due Diligence vs the Risk Management Standard This shift from a hazard based risk assessment approach (which appears to be encouraged by the risk management standard ISO 3100021) to the precautionary due diligence approach (encouraged by the common law and now the model WHS act), is summarised in the table below. Precaution based Due Diligence ≠ Hazard based ISO 31000 Precaution focused by testing all Hazard focused by comparison to practicable precautions for acceptable or tolerable target levels reasonableness, that is, on the of risk22 balance of the significance of the risk vs. the effort required to reduce it. Establish the context Establish the context Risk assessment (precaution based): Risk assessment (hazard based): Identify credible, critical issues (Hazard) risk identification Identify precautionary options (Hazard) risk analysis Risk-effort balance evaluation (Hazard) risk evaluation Risk action (treatment) Risk treatment Criticality driven Risk (likelihood and consequence) Usual interpretation of WHS Act & driven common law. Usual interpretation of AS/NZS ISO 31000 A paradigm shift from hazard to precaution based risk assessment The point of the shift is to ensure that all reasonable practicable precautions are in place (that is, so that risks are eliminated or minimised so far as is reasonably practicable or SFAIRP), rather than to achieve an indefensible target level of risk or safety (like ALARP), which is a typical result of the hazard based approach. The hazard based approach is all about inputs whilst the precaution based approach is all about outputs which is far more useful and productive. That is, not only are the requirements of the legislation met, it actually provides for superior safety outcomes more efficiently. 21 Standards Australia & Standards New Zealand, 2009. Risk Management Principles and Guidelines AS/NZS ISO 31000:2009. Sydney. 22 From the definition in AS/NZS ISO 31000: 2.24 risk evaluation process of comparing the results of risk analysis (2.21) with risk criteria (2.22) to determine whether the risk (2.1) and/or its magnitude is acceptable or tolerable.” Earthing, Bonding & Surge Protection – IDC Technologies 11
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline Implications for Designers If the arguments for the weaknesses of the hazard based approach (especially using acceptable or tolerable levels of risk) are accepted then the implications for designers in a great number of industries that deal with rare, high consequence events are profound. Two are described in the following sections, land use planning for major hazard industries and high voltage earthing. Land Use Planning Possibly the most unfortunate outcome of the use of hazard based analysis using target risk criteria is in land use safety planning for hazardous chemical facilities.23 Firstly, if the criteria are not satisfied it tends to sterilise planning areas from development. From an engineering perspective at least, this is just silly. Any site has issues, including windstorm hazards, geotechnical and earthquake potentials, storm surge, flooding and inundation, lightning strike potentials etc. For the design to be successful, all these must be addressed. The fact that there is a chemical exposure is just another hazard to be managed. If in order to be safe, people wind up in an unaffordable, unattractive, air conditioned bunker, then it may be that the project will not proceed. But this will be for commercial reasons, not safety ones. Credible worst case consequence contour Calculated 10-6 pa risk contour No special Normal building Major Exclusion zone Increasing precautions precautions standards apply hazard needed facility Target risk level approach Precautionary approach Precautionary vs target risk level approach to land use planning Secondly, it ignores rare, catastrophic hazards. For example, if a plot of the over-pressures at Buncefield (an unconfined vapour cloud that detonated in the UK in 2005) were to be mapped to any major hazard fuel farm in Australia, the area that can cause fatalities is huge. But although monstrous, this is historically a very rare event. If the event is discounted by the unlikelihood of its occurrence (at say 1 x 10-9 pa) in accordance with the risk target approach (typically 1 x 10-6 pa or 3 orders of magnitude larger) it is a much smaller area. 23 Robinson Richard M, Gaye E Francis, Peter Hurley et al (2013). Risk and Reliability: Engineering Due th Diligence (9 Edition). R2A Pty Ltd. Page 169 Earthing, Bonding & Surge Protection – IDC Technologies 12
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline Under most current planning regimes, structures developed beyond such 10-6 pa individual risk contours need only be building code compliant. No building is permitted closer to the major hazard facility. The diagram above describes the concept. Adopting the precautionary approach to land use planning in these circumstances means that, the closer to the hazard a structure is, the greater the precautions need to be. In principle, provided the level of protection is high enough, there are no limits to where a structure could be built in relation to the major hazard facility presented above. For example, immediately adjacent to the explosion, the protection required may be a concrete bunker as death may result directly from the overpressure. The direct overpressure danger may be reduced at some distance but a house with laminated windows may be required to prevent glass shards shrapnelling occupants. Beyond the credible worst case contour no protection from this hazard is required. The QRA (quantified risk assessment) calculation of the risk contour is beneficial only in terms of determining the level of protection that is required at a given location, enabling the common law test of the balance of the significance of the risk vs the effort required to reduce it to be applied. For example, between the 10-6 pa risk contour and the credible worst case consequence contour the cost of the provision of sheet metal roofs and laminated glass windows rather than tiles and ordinary glass, especially for new structures is very, very small indeed. If buildings are permitted between the designated 10-6 pa individual risk contour and accelerative glass over-pressure limits without such precautions, and an (admittedly rare) explosion resulting in deaths or injuries occurs, then the responsible officers of PCBUs responsible for approving and building such structures (town planners, developers, architects, engineers, builders etc) may be found negligent under common law and criminally reckless under the provisions of the new WHS legislation (knew or made or let it happen). EG(0), The Power System Earthing Guide EG(0), the Power System Earthing Guide24 appears to define risk limit targets consistent with the NSW Department of Planning guidelines as shown in the table and figure below. Table 4-1: Target individual fatality probability limits Probability of Risk classification single fatality Resulting implication for risk treatment for public death High or ≥ 10-4 Must prevent occurrence regardless of costs. Intolerable risk Intermediate or Must minimise occurrence unless risk reduction is impractical 10-4-10-6 ALARA Region and costs are grossly disproportionate to safety gained. Low or Risk generally acceptable, however, risk treatment may be ≤10-6 Tolerable risk applied if the cost is low and/or a normally expected practice. EG-0 individual risk limits 24 Energy Networks Association Limited (2010). EG-0 Power System Earthing Guide. Part 1: Management Principles. Version 1 – May 2010. Canberra. Earthing, Bonding & Surge Protection – IDC Technologies 13
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline Figure 4-4: Societal F-N risk limits EG-0 societal risk limits » Intolerable Region—The risk profile must be reduced. » ALARA Region—Reduce the risk profile whenever possible, and only accept the residual risk on the basis of a risk cost benefit analysis (RCBA) (see Appendix F). The use of the ALARA principle (or ALARP) is clearly intended to form a key part of the Due Diligence process embodied in this Guide. The ALARM principle that requires a designer and asset owner to reduce the risk profile whenever possible provides a consistent yet practical means for managing earthing system related risk. » Low or tolerable Region—Risk generally acceptable, however, risk treatment may be applied if the cost is low and/or a normally expected practice. Whilst the table has further caveats that consider some of the weaknesses of the hazard based approach to risk described in this paper, for example, in the low or tolerable region, the overall use of such target risk levels remains contrary to the SFAIRP approach of the model legislation. Such an approach is especially problematic in states like Queensland that have modified the provisions of the Electrical Safety Act (Qld) to be entirely consistent (including penalties) with the provisions of the WHS act. As a consequence, the attempt by Energy Networks Australia (ENA) to introduce target risk based processes to assess the safety of earthing systems via EG(0), is flawed. It means that organisations and their officers that use such target risk based processes as the primary tool for risk decision making would be subject to post event scrutiny under the new model WHS legislation. In the event of a fatality such officers would presumably be prosecuted for acting recklessly under the criminal provisions of the act. It may also leave the ENA and its officers open to prosecution for endorsing and promoting an arguably suspect process. Earthing, Bonding & Surge Protection – IDC Technologies 14
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline Conclusion In reality, to be safe means to be free from harm. In court, safe means that, despite something apparently unsafe having happened, due diligence has been demonstrated. In engineering terms this means that to be safe requires managing the laws of nature in a way that is consistent with the laws of man, in that order. The Engineers Australia Safety Case Guideline has always adopted the precautionary common law formulation for the demonstration of due diligence as a defence against negligence, namely: • A completeness argument as to why all credible critical safety issues to all affected parties have been identified • A argument as to why all practicable precautions for each credible critical issue has been identified, • An argument as to which practicable precautions are reasonable consistent with decisions of the High Court of Australia, and • The establishment of a safety quality assurance regime to confirm that all reasonably practicable precautions are maintained on an continuing basis. Such an approach does not mean bad things can’t happen. It means (presuming that the activity is not prohibitively dangerous such that it should not occur at all) that all reasonable practicable precautions for all foreseeable, critical hazards to all affected parties are in place, based on the balance of the significance of the risk vs the effort required to reduce it. This also means that risks should be eliminated or minimised so far as is reasonably practicable (SFAIRP). The 3rd revision of the Guideline outlines the shift from hazard based risk assessment to the precautionary due diligence approach now mandated by most Australian parliaments. Such a change has significant implications for designers, especially in the use of standards that use target levels of risk and safety such as EG(0) Power System Earthing Guide as a design tool. Any design that relies exclusively on a process that is specifically rejected by statute will provide for serious legal difficulties. And in the event of a fatality, a beyond reasonable doubt proof of recklessness would be available, which would be expected to lead to criminal charges for responsible officers of designer PCBUs (person conducting a business or undertaking) under the provisions of the model WHS legislation. Earthing, Bonding & Surge Protection – IDC Technologies 15
You can also read