Implications for Designers of the Engineers Australia

Page created by Barry Chan
 
CONTINUE READING
Implications for Designers of the Engineers Australia
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline

                                     Session Three:
  Implications for Designers of the Engineers Australia
            Safety Case Guideline (3rd Edition)

                         Gaye Francis and Richard Robinson
                               Directors, R2A Due Diligence Engineers

Introduction

The 3rd Revision of the Engineers Australia Safety Case Guideline is in draft
form. It extends the precautionary common law safety case concept of the two
earlier editions (2002 and 2007) to consider how the safety case can be used
as a tool to positively demonstrate safety due diligence consistent with the
provisions of the model Work Health and Safety (WHS) legislation that has
commenced all Australian jurisdictions except, at the time of writing, Western
Australia and Victoria.

The Guideline outlines the shift from hazard based risk assessment supported
by the risk management standard to the precautionary due diligence approach
now mandated by most Australian parliaments. Such a change has significant
implications for designers, especially in the use of standards that use target
levels of risk and safety such as EG(0) Power System Earthing Guide and IEC
61508 the Functional Safety Assessment standard as a design tool. Any
design that relies on a process that is specifically rejected by statute will
provide for serious legal difficulties. And in the event of a fatality, a beyond
reasonable doubt proof of recklessness would be available, which is expected
to lead to criminal charges for responsible officers of designer PCBUs (person
conducting a business or undertaking).

Much of the subject of this paper was also presented in an IDC 2011
conference1 before the commencement of the WHS act in Australian
jurisdictions. The authors have since tested the position described in this paper
with many lawyers and in-house legal counsel, to the unanimous approval of
them all.

1 Gaye E Francis and Richard M Robinson (2011). Power Safety Due Diligence. Proceedings of the IDC
“Power System Protection & Earthing Forum“. Perth. 23-24 November 2011.

 2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies
                                                                                                     1
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline

System of Law in Australia

There are two basic kinds of laws in Australia: statute law, which is made by a
Parliament consisting of democratically elected members, and common law,
which is law made by judges when deciding cases2. Statute law (also called
legislation) may be made by the Commonwealth Parliament, or by the
Parliament of a State or Territory.

Common law has its origins in England in the 12th century, before there was
any Parliament in England, when the King of England at that time (Henry II)
appointed members of his court to hear complaints and do justice on his behalf.
Judges making decisions drew on their notions of justice or fairness,
sometimes customs or traditions, sometimes Roman law. Reasons for judges’
decisions were recorded, and this body of case law, known as the common
law, became the most important source of law for judges. In time, judges
considered themselves to be bound to follow the precedents set by other
judges in earlier cases.

The High Court of Australia is the highest court in the Australian judicial
system. It was established in 1901 by Section 71 of the Constitution3. The
functions of the High Court are to interpret and apply the law of Australia; to
decide cases of special federal significance including challenges to the
constitutional validity of laws and to hear appeals, by special leave, from
Federal, State and Territory courts.

Australia inherited the common law system from the UK. And with the passage
of the Australia Acts of the1980s eliminating appeals to the Privy Council, the
High Court of Australia become the ultimate ‘reference’ for Australian case law.

In Australia court cases are conducted under the adversarial system in which
the court is asked to adjudicate upon ‘issues’ put forward by the parties upon
evidence adduced by the parties. The presiding judge has no power of inquiry
(the ‘inquisitorial system’), unlike courts in parts of Europe4.

There are several points about the adversarial system that need to be
remembered. It is first and foremost a court of law. And the courts are always
right even when they are in error as the decisions of appellate courts reveal.
And, as the Engineers Australia notes in the brochure Are You at Risk5 (1990):

           Adversarial courts are not about dispensing justice, they are about
           winning actions.

In this context, the advocates are not concerned with presenting the court with
all the information that might be relevant to the case. Quite the reverse, each
seeks to exclude information considered to be unhelpful to their side's position.

2 Adapted from: http://www.austlii.edu.au/au/other/liac/hot_topic/hottopic/2002/3/1.html viewed 5 April
2013.
3 Adapted from: http://www.hcourt.gov.au/about/role-of-the-high-court viewed 28 April 2013.
4   http://www.nswbar.asn.au/docs/resources/publications/structure.pdf viewed 5 April 2013.
5   Institution of Engineers, Australia (1990). Are You at Risk? Canberra.

    2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies
                                                                                                          2
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline

The idea is that the truth lies somewhere between the competing positions of
the advocates.

Further, courts do not deal in facts, they deal in opinions. Again from Are You
at Risk:
       What is a fact? Is it what actually happened between Sensible and
       Smart? Most emphatically not. At best, it is only what the trial court - the
       trial judge or jury - thinks happened. What the trial court thinks happened
       may, however, be hopelessly incorrect. But that does not matter - legally
       speaking.

That is, in court, the laws of man take precedence over the laws of nature6,
which can be particularly astonishing to engineers. In the adversarial system
innocence must be assumed or there is no case to try. If the defendant pleads
guilty, for example, the case stops immediately other than for the determination
of the penalty.

Engineering Due Diligence

Due diligence (or care) is a legal concept, derived from the societal need to
ensure fairness in dealings between human beings. It has been variously
defined, for example:

The diligence reasonably expected from, and ordinarily exercised by, a person
who seeks to satisfy a legal requirement or obligation7 and,

A minimum standard of behaviour which provides against contravention of
relevant regulatory provisions and adequate supervision ensuring that the
system is properly carried out.8

Such legal obligations can be created in the common law or by statute law as
has occurred with the commencement of the Model Work Health and Safety
(WHS) Act (2011) in most Australian jurisdictions.

One immediate reaction to such a definition is to institute a legal and regulatory
compliance audit. The difficulty with this approach to safety (meaning a lack of
harm) is that in a complex industrial society mere compliance with legislation
and all the regulations made by regulators under such legislation will not
necessarily make any particular situation or circumstance safe in reality. To be
safe requires that the laws of nature be managed competently prior to
compliance with the laws of man.

6 For example, in Turner vs The State of South Australia (1982) (HCA), the judges in the High Court of
Australia, when discussing why a lower court might have come to a particular judgement noted that: It is
possible that their Honours were also influenced by the opinion of an orthopaedic surgeon, Mr Jose, that
the upward force to required to raise a 400 lb drum from the prone to the upright position was 400 lbs.
That evidence which was set out in the judgement of Williams J at the first instance is plainly mistaken.
The upward force required to up-end a drum, with the bottom rim remaining on the ground, is an initial
force of approximately 200 lbs which progressively decreases as the top end is raised.
7                          th
  Black’s Law Dictionary, 4 Edition (2009)
8                                                   th
  LexisNexis Concise Australian Legal Dictionary, 4 Edition (2011)

    2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies
                                                                                                            3
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline

Engineering due diligence is about overcoming this practical difficulty by
ensuring that the laws of nature and the laws of man simultaneously align.
Logically and practically, in order to be safe, it is better to manage the laws of
nature first and then to confirm that the requirements of the laws of man have
been met, rather than the other way around.

Common Law Due Diligence

Due diligence has been a primary defence against the tort (or wrong) of
negligence in the common law. In this context, what constitutes due diligence
in Australian case law has been established in a decision of the High Court of
Australia. In an appeal to the High Court from the Court of Appeal of the
Supreme Court of NSW9, Stephen J noted:

This appeal involves interpretation of the Hague Rules. During heavy weather
in the Great Australian Bight, the severity of which was unusual but not
unforeseeable, a number of drums of cleaning solvent stowed in a ship's hold
broke adrift, were damaged and their contents lost. The means of securing
them in place in the hold had been inadequate.

Under the Hague Rules (to which Australia is a signatory), Article IV Rights and
Immunities states:

          1. Neither the carrier nor the ship shall be liable for loss or damage
             arising or resulting from unseaworthiness unless caused by want of
             due diligence on the part of the carrier to make the ship seaworthy,
             and to secure that the ship is properly manned, equipped and
             supplied...

               Whenever loss or damage has resulted from unseaworthiness, the
               burden of proving the exercise of due diligence shall be on the
               carrier or other person claiming exemption under the section.

Reynolds J.A. summed up the conclusion of the Court of Appeal of the
Supreme Court of NSW in the following words:

          Loss or damage does not arise or result from perils of the sea where
          negligence is a concurrent cause. Where negligence allows or facilitates
          the perils of the sea to inflict damage on cargo, then in all relevant
          respects the loss or damage arises or results from the negligence. The
          perils of the sea must be guarded against by the use of due care.

The judges of the High Court unanimously dismissed an appeal to the High
Court and supported the view of the NSW Court of Appeal summarised by
Reynolds J.A. above. And when 10 superior court judges unanimously agree
on a particular point then this is robust case law and unlikely to change in the
near future.

9Shipping Corporation of India Ltd v Gamlen Chemical Co. A/Asia Pty Ltd [1980] HCA 51; (1980) 147
CLR (12 December 1980)

    2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies
                                                                                                    4
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline

Model WHS Act (Statutory) Due Diligence

The model WHS Act10 has commenced in most Australian jurisdictions,
presently excepting Western Australia and Victoria. The act requires that
responsible officers of PCBU’s (persons conducting a business or undertaking)
to positively demonstrate safety due diligence. Penalties are criminal in nature
and can provide for up to 5 years jail for responsible officers for recklessness
(knew or made or let it happen). These responsibilities cannot be delegated,
although as a statutory invocation, such charges must be proved beyond
reasonable doubt.

The meaning of due diligence is considered in Part 2, Division 4 (27) of the
model WHS Act:

      (5)    In this section, due diligence includes taking reasonable steps:
      (a)    to acquire and keep up-to-date knowledge of work health and safety
             matters; and
      (b)    to gain an understanding of the nature of the operations of the business
             or undertaking of the person conducting the business or undertaking
             and generally of the hazards and risks associated with those
             operations; and
      (c)    to ensure that the person conducting the business or undertaking has
             available for use, and uses, appropriate resources and processes to
             eliminate or minimise risks to health and safety from work carried out
             as part of the conduct of the business or undertaking; and
      (d)    to ensure that the person conducting the business or undertaking has
             appropriate processes for receiving and considering information
             regarding incidents, hazards and risks and responding in a timely way
             to that information; and
      (e)    to ensure that the person conducting the business or undertaking has,
             and implements, processes for complying with any duty or obligation of
             the person conducting the business or undertaking under this Act; and
      (f)    to verify the provision and use of the resources and processes referred
             to in paragraphs (c) to (e).

The first approved draft of the model act left due diligence to be determined by
case law. The next cut defined due diligence to be the six points listed above.
The third and subsequent revisions advised that due diligence includes...
these six points.

This single word change is perhaps significant. For example, the Workcover
NSW 11 authority advises that, exercising due diligence includes, but is not

10 Model Work Health and Safety Act (revised draft 23 June 2011) as viewed at
http://www.safeworkaustralia.gov.au/sites/swa/about/publications/pages/model-work-health-safety-act-23- june-
2011 on 5 April 2013. Note that each jurisdiction has implemented the legislation slightly differently
although the general principles remain consistent. For example, the NSW uniquely imposes strict liability
(Clause 12A).
11
   WorkCover NSW,
http://www.workcover.nsw.gov.au/newlegislation2012/Directorsandofficers/Pages/Duediligence.aspx,
viewed 19 Oct 2012.

     2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies
                                                                                                            5
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline

limited to: the six points listed above. The Australian government has provided
the following definition in “Guidance for Officers in Exercising Due Diligence”12
under the WHS act:

               Due diligence – in the context of work health and safety – means taking
               every precaution that is reasonable in the circumstances to protect the
               health, safety and welfare of all workers and others who could be put at
               risk from work carried out as part of the business or undertaking.

Reasonably Practicable
According to the model WHS Act (Part 2, Division 1, Section 17)

        A duty imposed on a person to ensure health and safety requires the
        person:

        (a) to eliminate risks to health and safety, so far as is reasonably
            practicable; and
        (b) if it is not reasonably practicable to eliminate risks to health and safety,
            to minimise those risks so far as is reasonably practicable.

The meaning of reasonably practicable is defined in Subdivision 2:

        18 What is reasonably practicable in ensuring health and safety?
           In this Act, reasonably practicable, in relation to a duty to ensure health
           and safety, means that which is, or was at a particular time, reasonably
           able to be done in relation to ensuring health and safety, taking into
           account and weighing up all relevant matters including:

        (a) the likelihood of the hazard or the risk concerned occurring; and
        (b) the degree of harm that might result from the hazard or the risk; and
        (c) what the person concerned knows, or ought reasonably to know, about:
         (i)the hazard or the risk; and
        (ii)ways of eliminating or minimising the risk; and
        (d) the availability and suitability of ways to eliminate or minimise the risk;
            and
        (e) after assessing the extent of the risk and the available ways of
            eliminating or minimising the risk, the cost associated with available
            ways of eliminating or minimising the risk, including whether the cost is
            grossly disproportionate to the risk.

In other words (quoting Barry Sherriff13, one of the lawyers who helped draft the
legislation), the model WHS Act:

        Simply makes clear that you start with what can be done and only do less
        where it is reasonable to do so.

12
   Guidance for Officers in Exercising Due Diligence, Australian government,
http://www.comcare.gov.au/WHS/guidance_and_resources/guidance/guidance_for_officers_in_exercising
_due_diligence/due_diligencewhere_to_start_and_what_does_it_mean_to_you viewed 1 April 2013.
13   Barry Sherriff (March 2011) from a presentation to Engineers Australia, Brisbane.

     2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies
                                                                                               6
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline

Hazard to precaution based risk management

The traditional way to address safety risk is to:

           •         Identify the hazards
           •         Characterise the risk (likelihood and consequence) associated
                     with each hazard
           •         Compare this risk to tolerable or acceptable risk criteria or targets
           •         If the criteria are not satisfied, then to implement controls
                     (precautions or mitigations) until they are.

Such an approach has never satisfied common law judicial scrutiny. The
diagram below shows the difference between the two approaches, especially
for high consequence, low likelihood events. The top loop describes the
traditional hazard focused analysis listed above. If the technical risk target were
achieved in reality, the hazards of concern would not eventuate in the analyst’s
lifetime. But this is not the way of the world. Sometimes bad things will happen
and the courts will examine the results.

                         Hazard focussed

                                                             Technical
                                                                risk
                                                              targets

                        Future uncertainty
        Decision re hazard                                  Unwanted Event/s          Judgement   Time

                        Future uncertainty                          Safety critical

                                                                                              Judicial
                                                                                              Scrutiny

                                             Precaution focussed

                   Hazard vs Precaution focussed risk management14

The bottom loop describes the precautionary legal process applied by the
courts. This is necessarily hindsight biased. The courts simply do not care how
often matters went well. By definition, the courts only examine the minority of
things that went wrong. After the event, the fact is certain. This means that,
from the court’s viewpoint, prior-to-the-event estimates of rarity for serious
events were presumably flawed and that, prima facie, those who made such
estimates have provided beyond-reasonable doubt proof of negligence. As a
judge in NSW has been reported as saying to engineers after a major accident:

        What do you mean you did not think it could happen? There are 7 dead.

14Robinson Richard M, Gaye E Francis, Peter Hurley et al (2013). Risk and Reliability: Engineering Due
            th
Diligence (9 Edition). R2A Pty Ltd. Page 26

     2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies
                                                                                                         7
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline

The way the courts assess the situation is to consult post-event expert
witnesses as to what could have been done to have prevented the disaster.
Being an expert with the advantage of hindsight is a comparatively straight
forward task. The only time the notion of risk is used in court is when the court
is testing to see if the precautions suggested by such experts (after the event)
were reasonable in view of what was known at the time of the decision.

SFAIRP vs ALARP

The diagram below describes the two approaches in a different way. The left
hand side of the loop describes the legal approach which results in risk being
eliminated or minimised so far as is reasonably practicable (SFAIRP) as
described in the model WHS legislation.

            Common law approach                                   Hazard identification                        Target risk approach
     (precaution based and criticality driven)                      (Foreseeability)                       (hazard based and risk driven)

                                               Criticality
                                            Establish critical                                     Hazard analysis and risk calculation
                                                hazards                                            process to determine the nature of risk
                                                                                                            and the level of risk
              Preventability
                                                                                                         (inherently unrepeatable)
           Identify all practicable
        precautions for each critical
       hazard following the hierarchy
                 of controls                                                                                                 Selected risk criteria
                                                                                                                     terms of reference against which the
                                                                                                                       significance of a risk is evaluated
                                                                                                                              (inherently subjective)
                                                            Risk Management
       Reasonableness                                     of downside (negative or pure) risk
 Determine which practicable                                                                                                 Compare against criteria
 precautions are reasonable                                                                                           process of comparing the results of risk
  based on the High Court                                                                                         analysis with risk criteria to determine whether
     established balance                                                                                            the risk and/or its magnitude is acceptable
      (disproportionality)                                                                                            (may eliminate further consideration of
                                                                                                                           acceptable or tolerable risks)

                                   Implementation
                              of reasonably practicable                                     Risk mitigation and management options
                                     precautions                 SFAIRP       ALARP                   process to modify risk.
                                                                                             (may not follow the hierarchy of controls)

                                                                 Monitoring and Review
                                                                   (Quality assurance)

                                                                     Due Diligence

             Precaution vs hazard based approaches to risk management15

The hazard based loop, shown on the right hand side, attempts to demonstrate
that risk is as low as reasonably practicable or ALARP. But there are major
difficulties with each step of this approach as noted in blue.

Firstly, hazard analysis and risk calculations are inherently unrepeatable. Two
independent risk experts assessing the same circumstances or situation never
come up with the same answer (unless they use deliberately identical
assumptions and processes in which case the assessment is not independent).

15Robinson Richard M, Gaye E Francis, Peter Hurley et al (2013). Risk and Reliability: Engineering Due
            th
Diligence (9 Edition). R2A Pty Ltd. Page 167.

     2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies
                                                                                                                                                      8
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline

Risk calculations and characterisations to enable a comparison with risk criteria
are always imperfect especially with regard to human failings and management
systems. Quoting Mark Tweeddale16:

         In the case of the process industry, most of the major disasters in recent
         years have resulted primarily from failures of management systems, which
         would not have been included in the quantitative assessment of risk, and
         not from random equipment failures such as are statistically assessable
         using data from data banks. This is a most serious limitation...

Secondly, risk criteria are subjective. The old adage should probably be
extended to; there are lies, damned lies, statistics and then there are target risk
criteria. Most risk criteria are based on statistical analyses. The traditional way
to determine them is to consider mortality and injury statistics. But they are just
that, statistics. The numbers change according to the exposed group selected.
For example, the lightning strike death rate of around 1 in 10 million (for the
whole population) is often selected as the lower limit to risk scrutiny for
individual risk. However, if the mortality figures for the group of people who
play golf during lightning storms is considered, it will be much higher. Which
number ought to be used? Further, the inconsistency in individual and societal
risk criteria between states, especially Victoria and NSW dating from the mid-
nineties is problematic.

Thirdly, if the risk associated with a hazard is below acceptable or tolerable
threshold, there is a tendency to say that nothing further needs to be done,
which is always problematic with low frequency, high severity events. The
overall situation is perhaps best summarised by Chief Justice Gibbs of the High
Court of Australia17:

         Where it is possible to guard against a foreseeable risk, which, though
         perhaps not great, nevertheless cannot be called remote or fanciful, by
         adopting a means, which involves little difficulty or expense, the failure to
         adopt such means will in general be negligent.

That is, it does not matter how low the risk estimate is, if more can be done for
very little effort, then the failure to do so will be negligent, in the event of an
incident

This leads to the fourth concern; that the temptation is to implement a
precaution that reaches the target risk threshold without formally considering
the hierarchy of controls.

16 Tweeddale, M., 2003. Managing Risk and Reliability of Process Plants. Boston: Gulf Professional
Publishing.
17 Turner v. The State of South Australia (1982) High Court of Australia before Gibbs CJ, Murphy,

Brennan, Deane and Dawson JJ).

     2013 Earthing, Lightning & Surge Protection Conference – IDC Technologies
                                                                                                     9
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline

The hazard based approach seems to address its legal limitations with regard
to mitigations by adding caveats, for example from the NSW Land Use Safety
Planning Guidelines18:

      While it is useful to have objective, quantitative risk criteria, qualitative
      principles are equally important. These include:

      1. all ‘avoidable’ risks should be avoided;
      2. particular attention needs to be given to eliminating or reducing major
         hazards, irrespective of whether numerical criteria are met; and
      3. as far as possible, the consequences of significant events should be
         kept within facility boundaries.

The legal system (which requires a demonstration of due diligence following the
left hand side of the diagram) does not have this problem. As Andrew
Hopkins19 notes:

      At law, employers must drive down risks as far as is reasonably
      practicable, and there is no level of risk which, a priori, can be said to be
      acceptable. Moreover, the law has a well-defined set of principles for
      determining whether risks are as low as reasonably practicable, and
      despite the indeterminacy of these principles, it is by no means clear that
      QRA and the tolerability / acceptability framework offers a better way of
      deciding how low is low enough.

All this was not a legal issue whilst relevant statute law enabled the hazard
based approach, as statute law always takes precedence over the common
law. However, once the legal concept of due diligence is called up by statute
via the model WHS act the issue can no longer be side stepped.

The point of the shift is to ensure that all reasonable practicable precautions
are in place rather than to achieve an indefensible tolerable or acceptable level
of risk or safety, which is a typical result of the hazard based approach. As
Carveth Read20 put it in 1898:

      It is better to be vaguely right than exactly wrong.

18 NSW Department of Planning (2011). HIPAP 4: Risk Criteria for Land Use Safety Planning. Page 3.
Downloaded 5 April 2013 from:
http://www.planning.nsw.gov.au/LinkClick.aspx?fileticket=mEA7owrSNTg%3d&tabid=168&language=en- AU.
19
   Andrew Hopkins (2005). Safety, Culture and Risk. The Organisational Causes of Disasters. CCH
Australia. p 137.
20
   Carveth Read, Logic, deductive and inductive (1898).

Earthing, Bonding & Surge Protection – IDC Technologies
                                                                                                 10
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline

Due Diligence vs the Risk Management Standard

This shift from a hazard based risk assessment approach (which appears to be
encouraged by the risk management standard ISO 3100021) to the
precautionary due diligence approach (encouraged by the common law and
now the model WHS act), is summarised in the table below.

     Precaution based Due Diligence               ≠     Hazard based ISO 31000

     Precaution focused by testing all                Hazard focused by comparison to
     practicable precautions for                      acceptable or tolerable target levels
     reasonableness, that is, on the                  of risk22
     balance of the significance of the risk
     vs. the effort required to reduce it.

     Establish the context                     Establish the context
     Risk assessment (precaution based): Risk assessment (hazard based):
            Identify credible, critical issues        (Hazard) risk identification
            Identify precautionary options            (Hazard) risk analysis
            Risk-effort balance evaluation            (Hazard) risk evaluation
     Risk action (treatment)                   Risk treatment

     Criticality driven                               Risk (likelihood and consequence)
     Usual interpretation of WHS Act &                driven
     common law.                                      Usual interpretation of AS/NZS ISO
                                                      31000

       A paradigm shift from hazard to precaution based risk assessment

The point of the shift is to ensure that all reasonable practicable precautions
are in place (that is, so that risks are eliminated or minimised so far as is
reasonably practicable or SFAIRP), rather than to achieve an indefensible
target level of risk or safety (like ALARP), which is a typical result of the hazard
based approach.

The hazard based approach is all about inputs whilst the precaution based
approach is all about outputs which is far more useful and productive. That is,
not only are the requirements of the legislation met, it actually provides for
superior safety outcomes more efficiently.

21
   Standards Australia & Standards New Zealand, 2009. Risk Management Principles and Guidelines
AS/NZS ISO 31000:2009. Sydney.
22
   From the definition in AS/NZS ISO 31000: 2.24 risk evaluation process of comparing the results of risk
analysis (2.21) with risk criteria (2.22) to determine whether the risk (2.1) and/or its magnitude is
acceptable or tolerable.”

Earthing, Bonding & Surge Protection – IDC Technologies
                                                                                                      11
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline

Implications for Designers

If the arguments for the weaknesses of the hazard based approach (especially
using acceptable or tolerable levels of risk) are accepted then the implications
for designers in a great number of industries that deal with rare, high
consequence events are profound. Two are described in the following
sections, land use planning for major hazard industries and high voltage
earthing.

Land Use Planning

Possibly the most unfortunate outcome of the use of hazard based analysis
using target risk criteria is in land use safety planning for hazardous chemical
facilities.23

Firstly, if the criteria are not satisfied it tends to sterilise planning areas from
development. From an engineering perspective at least, this is just silly. Any
site has issues, including windstorm hazards, geotechnical and earthquake
potentials, storm surge, flooding and inundation, lightning strike potentials etc.
For the design to be successful, all these must be addressed. The fact that
there is a chemical exposure is just another hazard to be managed. If in order
to be safe, people wind up in an unaffordable, unattractive, air conditioned
bunker, then it may be that the project will not proceed. But this will be for
commercial reasons, not safety ones.

                                                                                    Credible worst case
                                                                                   consequence contour
                                                 Calculated 10-6
                                                     pa risk contour

                                                                                                          No special
     Normal building                                   Major
                             Exclusion zone                                  Increasing precautions       precautions
     standards apply                                   hazard                                               needed
                                                       facility

                        Target risk level approach                Precautionary approach

       Precautionary vs target risk level approach to land use planning

Secondly, it ignores rare, catastrophic hazards. For example, if a plot of the
over-pressures at Buncefield (an unconfined vapour cloud that detonated in the
UK in 2005) were to be mapped to any major hazard fuel farm in Australia, the
area that can cause fatalities is huge. But although monstrous, this is
historically a very rare event. If the event is discounted by the unlikelihood of its
occurrence (at say 1 x 10-9 pa) in accordance with the risk target approach
(typically 1 x 10-6 pa or 3 orders of magnitude larger) it is a much smaller area.

23 Robinson Richard M, Gaye E Francis, Peter Hurley et al (2013). Risk and Reliability: Engineering Due
            th
Diligence (9 Edition). R2A Pty Ltd. Page 169

Earthing, Bonding & Surge Protection – IDC Technologies
                                                                                                               12
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline

Under most current planning regimes, structures developed beyond such 10-6
pa individual risk contours need only be building code compliant. No building is
permitted closer to the major hazard facility. The diagram above describes the
concept.

Adopting the precautionary approach to land use planning in these
circumstances means that, the closer to the hazard a structure is, the greater
the precautions need to be. In principle, provided the level of protection is high
enough, there are no limits to where a structure could be built in relation to the
major hazard facility presented above. For example, immediately adjacent to
the explosion, the protection required may be a concrete bunker as death may
result directly from the overpressure. The direct overpressure danger may be
reduced at some distance but a house with laminated windows may be
required to prevent glass shards shrapnelling occupants. Beyond the credible
worst case contour no protection from this hazard is required.

The QRA (quantified risk assessment) calculation of the risk contour is
beneficial only in terms of determining the level of protection that is required at
a given location, enabling the common law test of the balance of the
significance of the risk vs the effort required to reduce it to be applied. For
example, between the 10-6 pa risk contour and the credible worst case
consequence contour the cost of the provision of sheet metal roofs and
laminated glass windows rather than tiles and ordinary glass, especially for new
structures is very, very small indeed.

If buildings are permitted between the designated 10-6 pa individual risk contour
and accelerative glass over-pressure limits without such precautions, and an
(admittedly rare) explosion resulting in deaths or injuries occurs, then the
responsible officers of PCBUs responsible for approving and building such
structures (town planners, developers, architects, engineers, builders etc) may
be found negligent under common law and criminally reckless under the
provisions of the new WHS legislation (knew or made or let it happen).

EG(0), The Power System Earthing Guide

EG(0), the Power System Earthing Guide24 appears to define risk limit targets
consistent with the NSW Department of Planning guidelines as shown in the
table and figure below.
                                                Table 4-1: Target individual fatality probability limits
                  Probability of     Risk classification
                  single fatality                             Resulting implication for risk treatment
                                     for public death
                                        High or
                    ≥ 10-4                                 Must prevent occurrence regardless of costs.
                                     Intolerable risk
                                    Intermediate or        Must minimise occurrence unless risk reduction is impractical
                   10-4-10-6
                                    ALARA Region           and costs are grossly disproportionate to safety gained.
                                       Low or              Risk generally acceptable, however, risk treatment may be
                    ≤10-6
                                     Tolerable risk        applied if the cost is low and/or a normally expected practice.

                                      EG-0 individual risk limits

24 Energy Networks Association Limited (2010). EG-0 Power System Earthing
Guide. Part 1: Management Principles. Version 1 – May 2010. Canberra.

Earthing, Bonding & Surge Protection – IDC Technologies
                                                                                                                             13
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline

                                      Figure 4-4: Societal F-N risk limits
                                  EG-0 societal risk limits

   »      Intolerable Region—The risk profile must be reduced.
   »      ALARA Region—Reduce the risk profile whenever possible, and only accept
          the residual risk on the basis of a risk cost benefit analysis (RCBA) (see
          Appendix F). The use of the ALARA principle (or ALARP) is clearly intended
          to form a key part of the Due Diligence process embodied in this Guide. The
          ALARM principle that requires a designer and asset owner to reduce the risk
          profile whenever possible provides a consistent yet practical means for
          managing earthing system related risk.
   »      Low or tolerable Region—Risk generally acceptable, however, risk treatment
          may be applied if the cost is low and/or a normally expected practice.

Whilst the table has further caveats that consider some of the weaknesses of
the hazard based approach to risk described in this paper, for example, in the
low or tolerable region, the overall use of such target risk levels remains
contrary to the SFAIRP approach of the model legislation.

Such an approach is especially problematic in states like Queensland that have
modified the provisions of the Electrical Safety Act (Qld) to be entirely
consistent (including penalties) with the provisions of the WHS act.

As a consequence, the attempt by Energy Networks Australia (ENA) to
introduce target risk based processes to assess the safety of earthing systems
via EG(0), is flawed. It means that organisations and their officers that use
such target risk based processes as the primary tool for risk decision making
would be subject to post event scrutiny under the new model WHS legislation.
In the event of a fatality such officers would presumably be prosecuted for
acting recklessly under the criminal provisions of the act. It may also leave the
ENA and its officers open to prosecution for endorsing and promoting an
arguably suspect process.

Earthing, Bonding & Surge Protection – IDC Technologies
                                                                                             14
Session Three: Implications for Designers of the Engineers Australia Safety Case Guideline

Conclusion

In reality, to be safe means to be free from harm. In court, safe means that,
despite something apparently unsafe having happened, due diligence has been
demonstrated. In engineering terms this means that to be safe requires
managing the laws of nature in a way that is consistent with the laws of man, in
that order.

The Engineers Australia Safety Case Guideline has always adopted the
precautionary common law formulation for the demonstration of due diligence
as a defence against negligence, namely:

        •        A completeness argument as to why all credible critical safety
                 issues to all affected parties have been identified
        •        A argument as to why all practicable precautions for each credible
                 critical issue has been identified,
        •        An argument as to which practicable precautions are reasonable
                 consistent with decisions of the High Court of Australia, and
        •        The establishment of a safety quality assurance regime to confirm
                 that all reasonably practicable precautions are maintained on an
                 continuing basis.

Such an approach does not mean bad things can’t happen. It means
(presuming that the activity is not prohibitively dangerous such that it should not
occur at all) that all reasonable practicable precautions for all foreseeable,
critical hazards to all affected parties are in place, based on the balance of the
significance of the risk vs the effort required to reduce it. This also means that
risks should be eliminated or minimised so far as is reasonably practicable
(SFAIRP).

The 3rd revision of the Guideline outlines the shift from hazard based risk
assessment to the precautionary due diligence approach now mandated by
most Australian parliaments. Such a change has significant implications for
designers, especially in the use of standards that use target levels of risk and
safety such as EG(0) Power System Earthing Guide as a design tool. Any
design that relies exclusively on a process that is specifically rejected by statute
will provide for serious legal difficulties. And in the event of a fatality, a beyond
reasonable doubt proof of recklessness would be available, which would be
expected to lead to criminal charges for responsible officers of designer PCBUs
(person conducting a business or undertaking) under the provisions of the
model WHS legislation.

Earthing, Bonding & Surge Protection – IDC Technologies
                                                                                             15
You can also read