Demonstrating SFAIRP (Conference Paper, CORE 2023)

This paper was presented by at CORE (Conference on Railway Excellence) June 2023 in Melbourne Australia by Gaye Francis BE MAICD FIEAust, Managing Partner of R2A.

SUMMARY

SFAIRP (so far as is reasonably practicable) is the ‘modern’ definition of ‘safe’. Shrouded in the legal concept of the ‘safety case’, it is actually the legislated implementation of the judicial form of the principle of reciprocity – the golden rule – do unto others, incorporated into the common law by the Brisbane born English law lord, Lord Atkin in 1932. [1]

In rail safety terms, it asks the question; “If you are affected in any way by a rail network (passenger, driver at a level crossing, rail worker etc), how would you expect the network and rolling stock to be designed and managed in order for it to be considered safe?”

The answer is that it now requires a public demonstration that all reasonably practicable precautions are in place in a way that satisfies the will of our parliaments and our sovereign’s courts, otherwise known as a SFAIRP safety case.

1 INTRODUCTION

The rise of Work Health and Safety [2] (WHS) legislation and associated Rail Safety National Law [3] (RSNL) mandates that there needs to be a positive demonstration of safety due diligence. If there is a conflict between the two Acts, the WHS legislation takes precedence (section 48 of RSNL). Presently, the most robust and effective way to achieve this known to the authors is by the use of the safety case concept to demonstrate SFAIRP (that hazards, risks and harm have been eliminated or reduced so far as is reasonably practicable), that is, the rise of the SFAIRP safety case.

Safety Cases have been around for a long time. In Victoria they are de rigueur in rail, gas, petroleum, power and major hazards industries. For example, the Victorian Major Hazard regulations [4] (OH&S, 2000) have required that the operator must identify all hazards that could cause major incidents (Section 302) and that such a safety case must be signed off by the most senior company officer resident in Victoria (Section 402).

The inclusion of criminal manslaughter provisions in safety legislation (which therefore includes dealing with hazards that were either known or ought to have been known) has reinforced this. It is now absolutely essential for anyone (especially officers as defined by corporations’ law) responsible for the design, construction and management of any facility that can cause fatalities, like railways, to positively demonstrate safety due diligence in a way that is scientifically defensible, organisationally useful, publicly digestible and which will survive post-event legal scrutiny.

Note also that on 1 July 2021, Victoria commenced the SFARP provisions of the Environmental Protection Act 2017 [5]. Amongst other things, this Act imposes a general environmental duty (GED) on a person to minimise, as far as reasonably practicable (SFARP), risks or harm to human health and the environment (Section 25). Particularly, it further requires the person to eliminate such risks, and if not reasonably practicable to do so, to reduce them so far as reasonably practicable (Section 6). If not already, it appears to be only a matter of time before the SFA(I)RP concept will be entrenched in other legislation and regulatory instruments.

In this context, it is important to remember that legally, safety risk does not arise because something is inherently dangerous, which railways potentially are, rather it arises because there are insufficient, inadequate or failed precautions as determined by our courts, post event.

2 The Safety Case Concept

The safety case concept is a well-established method for organisationally demonstrating safety due diligence. As the English law lord, Lord Cullen put it in 2001 [6]:

A safety case regime provides a comprehensive framework within which the duty holder’s arrangements and procedures for the management of safety can be demonstrated and exercised in a consistent manner. In broad terms the safety case is a document – meant to be kept up to date – in which the operator sets out its approach to safety and the safety management system which it undertakes to apply. It is, on the one hand, a tool for internal use in the management of safety and, on the other hand, a point of reference in the scrutiny by an external body of the adequacy of that management system – a scrutiny which is considered to be necessary for maintaining confidence on the part of the public.

Safety cases have parallels with business cases. The latter are usually drawn up to convince a financier that an organisation is viable. The object is to assure that all significant factors affecting the organisation have been identified and that appropriate measures are in place to maximise the positive factors and minimise the negative ones. This is usually the responsibility of the highest levels of management of the organisation.

3 Demonstrating SFAIRP

This section outlines R2A’s Y Model [7] developed in 2011 to specifically address the requirements of the model WHS Act, which in turn satisfies the obligations of the RSNL. That is, to eliminate risks to health and safety so far as is reasonably practicable (SFAIRP), and if it is not reasonably practicable to eliminate risks to health and safety, to reduce those risks so far as is reasonably practicable. The process has been applied to very many organisations since, always to the satisfaction of relevant legal counsel.

The safety due diligence approach implements the ‘Y’ model shown above based on a diagram after Sappideen and Stillman, 1995 [8]. This has four steps summarised below.

3.1 Credible critical issues completeness

This is a completeness check to ensure all credible critical safety issues have been identified. That is, the issues faced by a rail operator that have the potential to cause serious harm. This can be done in a number of ways such as vulnerability or consequence assessments (who is exposed to what hazards), past incidents and generative interviews with recognised experts and so on.

3.2 Identifying all possible practicable precautions

The second step is to develop a process that ensures all physically possible measures to eliminate or minimise the risk have been consistently considered. Part of this will include testing for controls and safety measures identified by rail owners and operators. Legislation and regulation require that risk control must be based upon the Hierarchy of Controls as shown below and in the order of most to least preferred, elimination, prevention and mitigation. These decisions need to be adequately documented with appropriate sign off.

3.3 Reasonableness & barrier implementation

This step looks at all of the precautionary options that are possible and available; and in view of what is already in place decides on additional precautionary effort. The decision is a balancing exercise and involves taking into account and weighing up all relevant matters including, on the one hand:

the likelihood of the hazard or risk concerned occurring;

the degree of harm that might result from the hazard or risk;

what the person knows, or should reasonably know, about the hazard or risk and ways of eliminating or minimising that risk;

the availability and suitability of ways to eliminate risk; and also costs associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk.

Or, put another way, the decision is based on the balance of the significance of the risk (likelihood and consequence) versus the effort required to reduce it. Effort includes cost (how much), the degree of difficulty and inconvenience (how hard it is to implement) and utility of conduct (what other things go missing if that course of action is adopted). In this context, recognised good practice is the starting point, not the goal. This is where disproportionality comes into play.

Disproportionality results from the law of diminishing returns (the pain is not worth the gain) for precautionary effort.

For example, if the first precaution reduces the risk by 99%, the next precaution can only affect the remaining 1% and so on. So, in terms of the balance of the significance of the risk vs the effort required to reduce it, the scales thump to the ‘let’s not do anymore for now’ side very quickly for effective precautions.

3.4 Quality assurance

Quality process to confirm that agreed precautions are sustained.

4 Possible Safety Case Arguments

Efforts to demonstrate how risk should best be managed have given rise to a number of risk management decision paradigms all of which have or are being used to support safety case arguments in different industries. A paradigm is a universally recognised knowledge system that for a time provides model problems and solutions to a community of practitioners (Kuhn, 1970) [9]. New paradigms based on more comprehensive or convincing theories may supersede older ones or exist co-jointly with them.

This section describes a number of the most common risk paradigms [10] and details some of the advantages and disadvantages of each. They are listed in the order in which they became historically apparent. The paradigms are:

i. The rule of law.

ii. Traditional risk management historically typified by Lloyds Insurance and the US Factory Mutuals’ highly protected risk (HPR) approaches.

iii. Asset based risk management, typified by engineering-based failure modes, effects and criticality analysis (FMECA), hazard and operability (Hazop) and quantitative risk assessment (QRA) approaches.

iv. Threat-based risk management typified by strengths, weaknesses, opportunities and threats (SWOT) and vulnerability type 'top-down' mission-based military appreciation type analyses.

v. Solution-based ‘good practice’ risk management rather than hazard-based risk management.

vi. Biological, systemic mutual feedback loop processes, often manifested in hyper-reality computer-based simulations.

vii. Risk culture concepts including quality type approaches.

4.1 The rule of law

The power of the legal approach is that it is time-tested and proven. The Brisbane born English law lord, Lord Atkin unleashed an avalanche of negligence claims in the common law world (Donoghue v Stevenson 1932) [1] with the view that:

You must take reasonable care to avoid acts or omissions which you can reasonably foresee would be likely to injure your neighbour.

If the judiciary is independent of political and commercial interests of the day, then an independent and potentially fair resolution can occur. Perhaps this is why it works; both the political and judicial systems must simultaneously fail before social breakdown occurs and there is potential for catastrophic social dislocation. The weakness of the legal approach, certainly in an adversarial legal system like ours, is that the courts remain courts of law rather than courts of justice. As The Institution of Engineers, Australia (1990) notes [11]:

Adversarial courts are not about the dispensing of justice, they are about winning actions. In this context, the advocates are not concerned with presenting the court with all the information that might be relevant to the case. Quite the reverse, each seeks to exclude information considered to be unhelpful to their side's position. The idea is that the truth lies somewhere between the competing positions of the advocates.

Further, courts do not deal in facts; they deal in opinions.

What is a fact? Is it what actually happened between Sensible and Smart? Most emphatically not. At best, it is only what the trial court, the trial judge or jury - thinks happened. What the trial court thinks happened may, however, be hopelessly incorrect. But that does not matter - legally speaking.

4.2 Insurance and historical records

The Lloyds Insurance and the Factory Mutual Highly Protected Risk (HPR) [12] approaches historically typify insurance-history based risk management. Looking at past incidents and losses and comparing these to existing plants and facilities allows judgements to be made about (future) risk. The difference historically is that one approach, Lloyds', has a financial focus, whereas the Factory Mutuals’ focus is targeted at a level of engineered and management excellence.

The power of the insurance process is the very tangible nature of history, and in a sense the results represent the ultimate Darwinian ‘what if’ analysis. Its weakness is that in the modern rapidly changing world, empirical history has become an increasingly less certain method of predicting the future.

4.3 Asset and hazard

Asset based risk management is typified by engineering based FMECA (failure modes effects and criticality analysis), Hazop (hazard & operability) and QRA (quantitative risk assessment) event-based approaches. The power of event-based techniques lies in the detailed scrutiny of complex systems and the provision of closely-coupled solutions to identified problems. It revolves around hazards and assets component failure events and resulting flow-on steps throughout the asset (rail) seeing if it culminates into partial or full failure of the asset (rail) & its system function. Any proposed risk control solutions can be both focussed and specific. They can be easily considered for cost/benefit results. Each step (effectively a potential barrier) can be assessed for SFAIRP. The resulting risk registers are powerful decision-making tools.

However, these methods have to separately address common cause or common mode failures which became apparent from major loss events that the authors have investigated. Event-based techniques typically do not examine how a catastrophic failure elsewhere might affect a particular component or the others around it. In the case of FMECA and QRA, after assessing failure modes, care has to be taken in determining what failure modes are mutually exclusive and what needs common cause / mode consideration / adjustment and how this translates to risk control solutions.

4.4 Threat (error) and vulnerability - military intelligence

Threat-based risk management is typified by SWOT (strengths, weaknesses, opportunities and threats) and vulnerability type top-down analyses. These methods mostly identify areas of general strategic concern rather than solutions to particular problems. Its strength is that is provides a completeness argument for why no credible critical issues have been overlooked. In rail safety cases, it is a particularly common approach to assess the impacts of rail events like derailment, collision etc on the critical exposed groups.

4.5 Recognised good practice

An alternative to this is a precautionary (solution) based good practice risk management. The good practice risk management approach simply looks at all the good ideas other people in an industry use to see if there is any reason why such ideas ought not to be applied at one’s own site. The good practice approach is particularly powerful in a common law due diligence sense. If there were a simple solution to a serious problem implemented at a competitor's facility, then common law negligence could arise if failure to adopt this good practice resulted in something going badly wrong at the subject site.

A good practice process is one of the few approaches that address this difficulty. In a sense, this is confirming the view that liability arises when there are unimplemented good ideas rather than the existence of hazards or vulnerabilities in themselves. For example, could a marine pilot’s PPU (personal pilotage unit) be adapted and used for situational awareness by a train driver for long distance travel between states?

4.6 Evolutionary simulation

Biological/computer simulation paradigms are derived from the application of evolutionary concepts developed in virtual reality. This amounts to modelling a complex system in a virtual reality environment and playing endless what if scenarios. Such computer simulations can be most easily used for worst-case combinations of variables. The simulations can also be fine-tuned by calibrating against empirical data or through carefully controlled physical experiments.

4.7 Culture

James Reason [13], a psychologist, develops a cultural paradigm model in several ways (Reason, 1997). He notes three types of risk culture:

Pathological - don’t want to know and messengers arriving with bad news are ‘shot’

Bureaucratic- messengers are listened to if they arrive alive

Generative - actively seek bad news and train and reward messengers

The importance of these concepts is well known in rail safety.

These paradigms are listed in Table 1 below, together with the three generic techniques by which humans seem to make decisions. These are:

Expert reviews. The difficulty with this approach is that, if you don’t think the expert is right, there needs to be at least two alternative experts to change the decision.

Facilitated workshops. This parallels the adversarial legal system, where the sovereign’s champions (usually two barristers) present the alternative cases and the judge or jury decides.

Selective interviews, which parallels the inquisitorial system where someone armed with vast powers subpoenas persons until they have enough evidence to come to a judgement. In the Australian and New Zealand systems, this is represented by Coronial Enquiries and Royal Commissions.

Each of these paradigms and decision techniques has different pros and cons depending on the culture of the organisation and the nature of a particular task. The best methodologies that might be used in the implementation of a safety case in each of the risk paradigms as determined by the Risk Engineering Society of Engineers Australia (2014) [10] are highlighted in Table 1.

5 Exemplar SFAIRP safety case

This section considers which of the possible safety case arguments would support the SFAIRP process as applied to rail safety cases. It is difficult to prescribe which arguments are optimal without a particular railway in mind. There is no single ‘right way’ to complete a SFAIRP safety case. The arguments that are to be used to support the safety case need to be established in advance and are likely to depend on the circumstances of each rail and are unlikely to be the same for any two railways. For example, the safety argument for a suburban electric network is likely to be entirely different to an outback mining corridor or an isolated, single train heritage track.

5.1 Credible critical issues completeness argument

For the particular rail under consideration, what are the best approaches to determine which are the credible critical failure mechanisms for that particular railway?

5.2 Identifying all possible practicable precautions

There are a number of generic analysis tools that can be employed to identify possible practicable precautions and then facilitate the reasonableness assessment of same. They include cause-consequence diagrams, threat-barrier (bow-tie), layers of protection (LPOA) and Venn (Swiss Cheese) diagrams. These are discussed in Robinson & Francis (2022) [14]. However, in the experience of the authors as expert witnesses, the one that has proven to be most successful with the courts and the public has been single line threat-barrier diagrams.

The following sample threat barrier diagram has been developed for a representative credible critical issue associated with railways. It identifies the legal loss-of-control point and the existing and possible control barriers. The legal loss-of-control point is the point at which the laws of nature and man align. Controls that act before the loss-of-control point are legally precautions that stop the loss-of-control from occurring (that is, reduce the likelihood of its occurrence) whilst controls that act after the loss-of-control point are mitigations and reduce the scale of the consequences. Effectively, such a diagram describes the legislatively mandated hierarchy-of-control moving from left to right.

The key is not only to identify the existing barriers (shown as solid vertical lines) but to also identify all further possible practical controls (shown as dotted vertical lines) including emerging technology and what is considered recognised good practice especially in new rail projects. For example, new rail tunnel ventilation and smoke extraction systems are typically designed to handle a fully developed worst case train fire with concomitant evacuation paths which, essentially smoke blown one way with evacuating people moving in the other direction. This is a good practice precaution that should then be tested for reasonableness for any upgrade works on existing rail tunnels.

Another example, could a Driver’s Resource Management (DRM) system modelled on the marine pilots PPU (personal pilotage unit) and BRM (Bridge Resource Management) be provided on interstate trains? The technology is well established, sold globally and would have only to be adapted.

Preliminary discussions with manufacturers [15] at the AMPI conference [16] in Hobart in March this year suggest that the hardware cost per driver would be around $5,000. This would provide a completely independent battery power (15 hours), weather resistant driver management system (DMS) including a driver’s iPad with magnetically attached GNSS (GPS, Glonass, Galileo, Qzss, Beidou etc) positioning units (with SBAS correction to 1m accuracy) at either end of a train (to confirm train continuity), each with G3, G4, and G5 real time communications and satellite data connections (including jamming and spoofing resistance). Such units would automatically provide for voice recording of the driver and train control.

The main cost would be interfacing the track data and real-time environmental databases and train movement information provisionally estimated at $50m for the whole of Australia. Coupled with TMACS [18] train control (originally functionally certified by R2A for NSW in the late 90s) and watchdog monitoring this would probably increase driver, track gang and train controller situational awareness by up to 2 orders of magnitude.

That is to say, it is not enough to only consider your own industry for new precautions to address known risks.

5.3 Reasonableness and barrier Implementation

In determining reasonableness, further controls must be considered in hierarchy of control order based on the balance of the significance of the risk verses the effort required to reduce it. Some organisations look at short, medium and long term SFAIRP options. For example, upgraded train protection system on a section of track may be the ultimate long term (5-10 year) SFAIRP option but a shorter term (12 months) SFAIRP option may be to reduce the number of possible train collision interactions, enhance signal sighting for drivers and optimise the performance of the existing mechanical train stops.

From a due diligence perspective, not only is it important to document further controls to be implemented but also record why certain controls are not considered reasonable. Also, it is important that:

Recognised good practice such as represented in a standard is just the starting point. Further good ideas are to be tested for value. For example, the option to piggy back on ADS-B [19] from the aviation industry thereby treating trains as low flying aircraft is an intriguing idea.

Decisions should be made to a common law standard consistent with decisions of the High Court of Australia, such as Justice Mason’s decision in Wyong Shire Council v Shirt (High Court of Australia, 1980) [20].

Precautions with less than a 50% chance of working (as a likelihood assessment) ought not to be considered / adopted as (legally) they are more likely to fail than succeed.

Consultation with those who are at risk is legislatively mandated. For major community issues, this consultation is expected to be wider than just teams of experts described in the workshop sign-off below.

5.4 Quality assurance

5.4.1 Workshop sign-off

One point often overlooked in most SFAIRP (risk) workshops is the sign-off. Workshops should be organised to ensure that the best available knowledge and expertise is in the room. This means however, that at the end of the workshop session, the group should be formally tested to see if there are any other issues of concern which had not been raised or adequately addressed during the workshop session, and, more importantly, if there were any other good ideas or precautions that should be put on the table for consideration. Any issues raised should be tested and resolved formally.

5.4.2 Review by legal counsel

Most legal advice regarding the demonstration of due diligence as required by the model WHS legislation is focussed on a compliance audit to the relevant section and clauses. But this should be the outcome of the due diligence process, not the cause. That is, in order to be safe in reality, it is firstly necessary to manage the laws of nature. Confirming that this has been achieved to the satisfaction of the laws of man is a secondary exercise and one to which lawyers can be usefully and efficiently tasked, especially regarding consensus as to the legal loss-of-control point/s. If it isn’t clear to the lawyers on reading the safety case that the legal loss-of-control point is sound, then the application of the hierarchy of controls is likely to be confused and leave everyone and everything open to post-event legal argument and potential liability.

5.4.3 Articulated enduring QA process

The procedures by which agreed precautions are to be sustained into the future needs to be articulated and adequately documented.

6 Conclusion

The SFAIRP safety case is increasingly being entrenched in legal systems and regulatory instruments.

Our parliaments and courts are not requiring that ‘you get it right’ all the time, which is a logical impossibility of the human condition. What the WHS/OHS/RSNL/EPA legislation demands is a continuous, positive demonstration of safety due diligence. What the community and courts get ‘cranky’ about, post event, is when a precaution exists which was either known or ought to have been known, which was reasonable in all the circumstances and which, if it had been in place would have stopped the horror from occurring.

This means that an essential aspect of a SFAIRP safety case is that there is a continual testing for new or enhanced risk control ideas, to see if they have value and ought to be implemented. But this has to be achieved in a way which satisfies legal scrutiny, pre and post event.

This also means that it is difficult to see how any safety case for any rail operator can be considered robust unless it has been reviewed by relevant legal counsel. In a very real sense, pre-event verification of a safety case can make lawyers really, really useful to accredited rail operators.

References

1. United Kingdom House of Lords (1932). Donoghue v Stevenson. UKHL 100 1932.

2. Work Australia (2011). Model Work Health and Safety Bill. 23 June 2011.

3. The Rail Safety National Law was passed through the South Australian Parliament on 1 May 2012 replacing 46 pieces of State, Territory and Commonwealth legislation.

4. Occupational Health and Safety (Major Hazard Facilities) Regulations 2000 S.R. No. 50/2000 (Victoria).

5. Environment Protection Act 2017(Victoria). Authorised Version incorporating amendments as at 1 July 2021.

6. Cullen Rt Hon Lord (2001). Transport, regulation and safety: a lawyer’s perspective. The Transport Research Institute, United Kingdom.

7. Francis, Gaye and Richard M Robinson, and (2021). Criminal Manslaughter and How not to do it. (Reprinted 2023). R2A Pty Ltd. Melbourne.

8. Sappideen, Carolyn and R H Stillman (1995). Liability for electrical accidents: risk, negligence and tort. Engineers Australia Pty Limited, Crow’s Nest, Sydney. Page 22.

9. Kuhn T S (1970). The Structure of Scientific Revolutions. 2nd ed. Chicago. University of Chicago Press.

10. Engineers Australia, Risk Engineering Society (2014). Safety Case Guideline. Third edition.

11. The Institution of Engineers, Australia (1990). Are you at risk?

12. FM Global. See: https://www.fmglobal.com.au/about-us/our-business/our-history viewed 3rd March 2023.

13. Reason, James (1997). Managing the Risks of Organisational Accidents. Ashgate Publishing Limited. Aldershot, UK.

14. Robinson, Richard M and Gaye Francis (2022). Engineering Due Diligence (12th edition, reprinted 2023). R2A Pty Ltd. Melbourne.

15. Navicom Dynamics Ltd (New Zealand) and AD Navigation AS (Norway).

16. Australasian Marine Pilots Institute. 2023 Hobart. Building Resilient Pilotage Conference.

17. Navicom Dynamics Ltd. See: https://navicomdynamics.com/en/products/channelpilot viewed 3rd March 2023.

18. 4Tel Pty Ltd. See: https://4tel.com.au/index.php/en/news/12-products/network-control-systems/22-4eta-train-authorities.html%20viewed%203rd%20March%202023. Viewed 3rd March 2023.

19. Air Services Australia. See: https://www.airservicesaustralia.com/about-us/projects/ads-b/how-ads-b-works/ viewed 3rd March 2023.

20. High Court of Australia (1980). Wyong Shire Council vs Shirt. HCA 146 CLR 40.