Why SFAIRP is not a safety risk assessment

Weaning boards off the term risk assessment is difficult.

Even using the term implies that there must be some minimum level of ‘acceptable safety’.

And in one sense, that’s probably the case once the legal idea of ‘prohibitively dangerous’ is invoked.

But that’s a pathological position to take if the only reason why you’re not going to do something is because if it did happen criminal manslaughter proceedings are a likely prospect.

SFAIRP (so far is as reasonably practicable) is fundamentally a design review. It’s about the process.

The meaning is in the method, the results are only consequences.

In principle, nothing is dangerous if sufficient precautions are in place.

Flying in jet aircraft, when it goes badly, has terrible consequences. But with sufficient precautions, it is fine, even though the potential to go badly is always present. But no one would fly if the go, no-go decision was on the edge of the legal concept of ‘prohibitively dangerous’.

We try to do better than that. In fact, we try to achieve the highest level of safety that is reasonably practicable. This is the SFAIRP position. And designers do it because it has always been the sensible and right thing to do.

The fact that it has also been endorsed by our parliaments to make those who are not immediately involved in the design process, but who receive (financial) rewards from the outcomes, accountable for preventing or failing to let the design process be diligent is not the point.

How do you make sure the highest reasonable level of protection is in place? The answer is you conduct a design review using optimal processes which will provide for optimal outcomes.

For example, functional safety assessment using the principle of reciprocity (Boeing should have told pilots about the MCAS in the 737 MAX) supported by the common law hierarchy of control (elimination, prevention and mitigation). And you transparently demonstrate this to all those who want to know via a safety case in the same way a business case is put to investors.

But the one thing SFAIRP isn’t, is a safety risk assessment. Therein lies the perdition.

Read More

SFAIRP not equivalent to ALARP

The idea that SFAIRP (so far as is reasonably practicable) is not equivalent to ALARP (as low as reasonably practicable) was discussed in Richard Robinson’s article in the January 2014 edition of Engineers Australia Magazine generates commentary to the effect that major organisations like Standards Australia, NOPSEMA and the UK Health & Safety Executive say that it is. The following review considers each briefly. This is an extract from the 2014 update of the R2A Text (Section 15.3).

The idea that SFAIRP (so far as is reasonably practicable) is not equivalent to ALARP (as low as reasonably practicable) was originally discussed in Richard Robinson’s article in the January 2014 edition of Engineers Australia Magazine. At the time, it generated much commentary to the effect that major organisations like Standards Australia, NOPSEMA and the UK Health & Safety Executive say that it is.

Fast forward to 2022 and this is still the case.

The following review considers each briefly. This is an extract from the 2022 update of the R2A Text Engineering Due Diligence – How To Demonstrate SFAIRP (Section 19.3).

The UK HSE’s document, ALARP “at a glance”1 notes:

“You may come across it as SFAIRP (“so far as is reasonably practicable”) or ALARP (“as low as reasonably practicable”). SFAIRP is the term most often used in the Health and Safety at Work etc Act and in Regulations. ALARP is the term used by risk specialists, and duty-holders are more likely to know it. We use ALARP in this guidance. In HSE’s view, the two terms are interchangeable except if you are drafting formal legal documents when you must use the correct legal phrase.”

R2A’s view is that the prudent approach is to always use the correct legal term in the way the courts apply it, irrespective of what a regulator says to the contrary.

NOPSEMA are quite clearly focussed on the precautionary approach to risk. Their briefing paper on ALARP2 indicates in the Core Concepts that:

“Many of the requirements are qualified by the phrase “reduce the risks to a level that is as low as reasonably practicable”. This means that the operator has to show, through reasoned and supported arguments, that there are no other practical measures that could reasonably be taken to reduce risks further.” (Bolding by R2A).

That is, NOPSEMA wish to ensure that all reasonable practicable precautions are in place which is the SFAIRP concept. Indeed, later in Section 8, Good practice and reasonable practicability, there is a discussion concerning the legal, court driven approach to risk. Whilst ALARP is mostly used elsewhere in the document, here NOPSEMA notes:

“When reviewing health or safety control measures for an existing facility, plant, installation or for a particular situation (such as when considering retrofitting, safety reviews or upgrades), operators should compare existing measures against current good practice. The good practice measures should be adopted so far as is reasonably practicable. It might not be reasonably practicable to apply retrospectively to existing plant, for example, all the good practice expected for new plant. However, there may still be ways to reduce the risk e.g. by partial solutions, alternative measures, etc.” (Bolding by R2A).

Standards Australia seems to be severely conflicted in this area in many standards, some of which are called up by statute. For example, the Power System Earthing Guide presents huge difficulties.

Another example is AS 5577 – 2013 Electricity network safety management systems. Section 1.2 Fundamental Principles point (e): which requires life cycle SFAIRP for risk elimination and ALARP for risk management:

Hazards associated with the design, construction, commissioning, operation, maintenance and decommissioning of electrical networks are identified, recorded, assessed and managed by eliminating safety risks so far as is reasonably practicable, and if it is not reasonably practicable to do so, by reducing those risks to as low as reasonably practicable. (Bolding by R2A).

It seems that Standards Australia simply do not see that there is a difference. The terms appear to be used interchangeably.

Safe Work Australia is only SFAIRP3. There does not appear to be any confusion whatsoever. For example, the Interpretative Guideline – Model Work Health and Safety Act The Meaning of ‘Reasonably Practicable’ indicates:

“What is ‘reasonably practicable’ is determined objectively. This means that a duty-holder must meet the standard of behaviour expected of a reasonable person in the duty-holder’s position and who is required to comply with the same duty.

“There are two elements to what is ‘reasonably practicable’. A duty-holder must first consider what can be done - that is, what is possible in the circumstances for ensuring health and safety. They must then consider whether it is reasonable, in the circumstances to do all that is possible.

“This means that what can be done should be done unless it is reasonable in the circumstances for the duty-holder to do something less.

“This approach is consistent with the objects of the WHS Act which include the aim of ensuring that workers and others are provided with the highest level of protection that is reasonably practicable.”

ALARP is simply not mentioned, anywhere.

Although the ALARP verses SFAIRP debate continues in many places and the current position of many is that SFAIRP equals ALARP; nothing could be further from the truth.

For engineers, the meaning is in the method; results are only consequences.

SFAIRP represents a fundamental paradigm shift in engineering philosophy and the way engineers are required to conduct their affairs. 

It represents a drastically different way of dealing with future uncertainty.

It represents the move from the limited hazard, risk and ALARP analysis approach to the more general designers’  criticality, precaution and SFAIRP approach.

That is;

From: Is the problem bad enough that we need to do something about it?

To: Here’s a good idea to deal with a critical issue, why wouldn’t we do it? 

SFAIRP is paramount in Australian WHS legislation and has flowed into Rail and Marine Safety National law, amongst others.

In Victoria, SFAIRP has now also been incorporated into Environmental legislation.

Apart from the fact that SFAIRP is absolutely endemic in Australian legislation with manslaughter provisions to support it proceeding apace, SFAIRP is just a better way to live.

It presents a positive, outcome driven design approach, always testing for anything else that can be done rather than trusting an unrepeatable (and therefore unscientific) estimation of rarity for why you wouldn’t.


If you'd like to learn more about SFAIRP for Engineering Due Diligence, you may be interested in purchasing our textbook. If you'd like to discuss how R2A can help your organisation, fill out our contact form and we'll be in touch. 


Editor's note: This article was originally published on 22 January 2014 and has been updated for accuracy and comprehensiveness.

1 https://www.hse.gov.uk/managing/theory/alarpglance.htm viewed 21 February 2022
2 https://www.nopsema.gov.au/sites/default/files/documents/2021-03/A138249.pdf viewed 21 February 2022
3https://www.safeworkaustralia.gov.au/system/files/documents/2002/guide_reasonably_practicable.pdf viewed 21 February 2022

Read More

Why Hazops fail the SFAIRP test & why this is important

R2A recently presented a free webinar; Why Hazops fail the SFAIRP test. It is one of the more frequently asked questions we receive as Due Diligence Engineers.

Hazops are a commonly used risk management technique, especially in the process industries. In some ways the name has become generic; in the sense that many use it as a safety sign-off review process prior to freezing the design, a bit like the way the English hoover the floor when they actually mean vacuum the floor.

Traditionally, Hazop (hazard and operability) studies are done by considering a particular element of a plant or process and testing it against a defined list of failures to see what the implications for the system as a whole might be. That is, they are bottom-up in nature and so provide a detailed technical insight into potential safety and operational issues of complex systems. They can certainly produce important results.

However, like many bottom-up techniques they have problems with identifying high-consequence common-cause and common-mode failures. This arises simply because the Hazop process is bottom-up in nature rather than top-down.

A detailed assessment of individual components or sub-systems like Hazops examine how that component or sub-system can fail under normal operating conditions.

Hazops do not examine how a catastrophic failure elsewhere (like a fire or explosion) might simultaneously affect this component or the others around it.

Such ‘knock-on’ effects are attempted to be addressed in Hazops by a series of general questions after the detailed review is completed, but it nevertheless remains difficult to use a Hazop to determine credible worst-case scenarios.

This is exacerbated by the use of schematics to functionally describe the plant or equipment being examined. Unless the analysis team has an excellent spatial / geographic understanding of the system being considered, it’s very hard to see what bits of equipment are being simultaneously affected by the blast, fire or toxic cloud.

This means that it is difficult to use a Hazop to determine credible worst-case scenarios and ensure SFAIRP has been robustly demonstrated for all credible, critical hazards.

For a limited time, you can watch the webinar recording of the presentation on Why Hazops cannot demonstrate SFAIRP here.

If you’d like to discuss any aspect of this article, your due diligence / risk management approaches, or how we can conudct an in-house briefing on a particular organisational due diligence issue, contact us for a chat.

Read More

Risk Engineering Body of Knowledge

Engineers Australia with the support of the Risk Engineering Society have embarked on a project to develop a Risk Engineering Book of Knowledge (REBoK). Register to join the community.

The first REBoK session, delivered by Warren Black, considered the domain of risk and risk engineering in the context risk management generally. It described the commonly available processes and the way they were used.

Following the initial presentation, Warren was joined by R2A Partner, Richard Robinson and Peter Flanagan to answer participant questions. Richard was asked to (again) explain the difference between ALARP (as low as reasonably practicable) and SFAIRP (so far as is reasonably practicable).

The difference between ALARP and SFAIRP and due diligence is a topic we have written about a number of times over the years. As there continues to be confusion around the topic, we thought it would be useful to link directly to each of our article topics.

Does ALARP equal due diligence, written August 2012

Does ALARP equal due diligence (expanded), written September 2012

Due Diligence and ALARP: Are they the same?, written October 2012

SFAIRP is not equivalent to ALARP, written January 2014

When does SFAIRP equal ALARP, written February 2016

Future REBoK sessions will examine how the risk process may or may not demonstrate due diligence.

Due diligence is a legal concept, not a scientific or engineering one. But it has become the central determinant of how engineering decisions are judged, particularly in hindsight in court.

It is endemic in Australian law including corporations law (eg don’t trade whilst insolvent), safety law (eg WHS obligations) and environmental legislation as well as being a defence against (professional) negligence in the common law.

From a design viewpoint, viable options to be evaluated must satisfy the laws of nature in a way that satisfies the laws of man. As the processes used by the courts to test such options forensically are logical and systematic and readily understood by engineers, it seems curious that they are not more often used, particularly since it is a vital concern of senior decision makers.

Stay tuned for further details about upcoming sessions. And if you are needing clarification around risk, risk engineering and risk management, contact us for a friendly chat.

Read More
Due Diligence Due Diligence

R2A Event 2014

Following on from the success of our client and colleagues function in 2013, we will be hosting another event on Thursday, 6th February 2014 from 3pm to 5pm.

Richard will launch the 2014 update of the R2A Text.  R2A has concluded that the risk and liability world is changing so fast at the moment that, until further notice, the text will be updated annually at least.

Matters of interest include:

  • The introduction of the Rail Safety National Law which is complimentary but subordinate to the model WHS legislation.
  • The expected approval in the new year of the Engineers Australia Safety Case Guideline (3 Edition). This specifically rejects the Risk Management Standard (AS 31000) as being able to positively demonstrate due diligence for high consequence – low frequency events.
  • Why SFAIRP (so far as is reasonably practicable) can never equal ALARP (as low as reasonably practicable) legally.
  • The logical limitations of Monte Carlo simulation for demonstrating project due diligence.

Following on from the success of our client and colleagues function in 2013, we will be hosting another event on Thursday, 6th February 2014 from 3pm to 5pm.

Richard will launch the 2014 update of the R2A Text.  R2A has concluded that the risk and liability world is changing so fast at the moment that, until further notice, the text will be updated annually at least.

Matters of interest include:

  • The introduction of the Rail Safety National Law which is complimentary but subordinate to the model WHS legislation.
  • The expected approval in the new year of the Engineers Australia Safety Case Guideline (3 Edition). This specifically rejects the Risk Management Standard (AS 31000) as being able to positively demonstrate due diligence for high consequence – low frequency events.
  • Why SFAIRP (so far as is reasonably practicable) can never equal ALARP (as low as reasonably practicable) legally.
  • The logical limitations of Monte Carlo simulation for demonstrating project due diligence.

Richard will also outline the outlook for 2014.

We expect a lively discussion so please pencil in the date, RSVP and join us on the 6th February.

Read More