R2A recently presented a free webinar; Why Hazops fails the SFAIRP test. It is one of the more frequently asked questions we receive as Due Diligence Engineers.
Hazops are a commonly used risk management technique, especially in the process industries. In some ways the name has become generic; in the sense that many use it as a safety sign-off review process prior to freezing the design, a bit like the way the English hoover the floor when they actually mean vacuum the floor.
Traditionally, Hazop (hazard and operability) studies are done by considering a particular element of a plant or process and testing it against a defined list of failures to see what the implications for the system as a whole might be. That is, they are bottom-up in nature and so provide a detailed technical insight into potential safety and operational issues of complex systems. They can certainly produce important results.
However, like many bottom-up techniques they have problems with identifying high-consequence common-cause and common-mode failures. This arises simply because the Hazop process is bottom-up in nature rather than top-down.
A detailed assessment of individual components or sub-systems like Hazops examines how that component or sub-system can fail under normal operating conditions.
Such ‘knock-on’ effects are attempted to be addressed in Hazops by a series of general questions after the detailed review is completed, but it nevertheless remains difficult to use a Hazop to determine credible worst-case scenarios.
This is exacerbated by the use of schematics to functionally describe the plant or equipment being examined. Unless the analysis team has an excellent spatial / geographic understanding of the system being considered, it’s very hard to see what bits of equipment are being simultaneously affected by the blast, fire or toxic cloud.
For a limited time, you can watch the webinar recording of the presentation on Why Hazops cannot demonstrate SFAIRP here.
The adoption of the model WHS legislation in Australasia is now practically complete with the passing of the act by the Western Australian parliament. Whilst yet to be proclaimed, the WA version includes criminal manslaughter provisions with a maximum penalty of 20 years for individuals.
Victoria is now formally the only state not to have adopted the model WHS Act, although this is practically inconsequential, as the due diligence concept to demonstrate SFAIRP (so far as is reasonably practicable) is embodied in the 2004 OHS Act, and the criminal manslaughter provisions of same commenced on the 1st of July this year.
New Zealand adopted the model WHS legislation in the form of the Health and Safety at Work Act 2015. Judging by the number of commissions R2A has had in NZ in 2020, it has come as a bit of a surprise to many, particularly to those using the hazard-based approach of target levels of risk and safety such as ALARP (as low as reasonably practicable), that these have been completed superseded by the new legislation and cannot demonstrate safety due diligence.
New Zealand has not presently adopted the criminal manslaughter provisions being introduced into Australia, but it did include the significant penalties for recklessness (knew or made or let it happen) with up to 5 years jail for individuals.
In all Australasian jurisdictions, regulators appear prosecutorially active with a number of cases presently under investigation and before the courts. For example, the White Island volcano incident in New Zealand which killed 22. Ten parties and 3 individuals have been charged.
Perhaps what has surprised many in NZ is the observation by NZ Worksafe, that for critical (kill or maim) hazards like volcanic eruptions, it only has to be reasonably foreseeable, not actually have happened before. That is, the fact that the hazard has not occurred before is not sufficient to warrant not thinking about it any further.
That is, our parliamentarians and judges seem to have decided that due diligence is universal in its application and creates a moral justification for action. This also means the converse, that failure to act demands sanction against the failed decision maker, which is being increasingly tested in our courts.
The start of 2019 has seen much media attention to various incidents resulting from, arguably, negligent decision making.
One such incident was the recent high-rise apartment building fire in Melbourne that resulted in hundreds of residents evacuated.
The fire is believed to have started due to a discarded cigarette on a balcony and quickly spread five storeys. The Melbourne Fire Brigade said it was due to the building’s non-combustible cladding exterior that allowed the fire to spread upwards. The spokesperson also stated the cladding should not have been permitted as buildings higher than three storeys required a non-combustible exterior.
Yet, the Victorian Building Authority did inspect and approve the building.
Similar combustible cladding material was also responsible for another Melbourne based (Docklands) apartment building fire in 2014 and for the devastating Grenfell Tower fire in London in 2017 that killed 72 people with another 70 injured.
This cladding material (and similar) is wide-spread across high-rise buildings across Australia. Following the Docklands’ building fire, a Victorian Cladding Task Force was established to investigate and address the use of non-compliant building materials on Victorian buildings.
Is considering Worse Case Scenario versus Risk appropriate?
In a television interview discussing the most recent incident, a spokesperson representing Owners’ Corporations stated owners needed to look at worse case scenarios versus risk. He followed the statement with “no one actually died”.
While we agree risk doesn’t work for high consequence, low likelihood events, responsible persons need to demonstrate due diligence for the management of credible critical issues.
The full suite of precautions needs to be looked at for a due diligence argument following the hierarchy of controls.
The fact that no one died in either of the Melbourne fires can be attributed to Australia’s mandatory requirement of sprinklers in high rise buildings. This means the fires didn’t penetrate the building. However, the elimination of cladding still needs to be tested from a due diligence perspective consistent with the requirements of Victoria’s OHS legislation.
What happens now?
The big question, beyond that of safety, is whether the onus to fix the problem and remove / replace the cladding is now on owners at their cost or will the legal system find construction companies liable due to not demonstrating due diligence as part of a safety in design process?
Residents of the Docklands’ high-rise building decided to take the builder, surveyor, architect, fire engineers and other consultants to the Victorian Civil and Administrative Tribunal (VCAT) after being told they were liable for the flammable cladding.
Defence for the builder centred around evidence of how prevalent the cladding is within Australian high-rise buildings.
The architect’s defence was they simply designed the building.
The surveyor passed the blame onto the Owners’ Corporation for lack of inspections of balconies (where the fire started, like the most recent fire, with a discarded cigarette).
Last week (at the time of writing), the apartment owners were awarded damages for replacement of the cladding, property damages from the fire and an increase in insurance premiums due to risk of future incidents. In turn, the architect, fire engineer and building surveyor have been ordered to reimburse the builder most of the costs.
Findings by the judge included the architect not resolving issues in design that allowed extensive use of the cladding, a failure of “due care” by the building surveyor in its issue of building permit, and failure of fire engineer to warn the builder the proposed cladding did not comply with Australian building standards.
Three percent of costs were attributed to the resident who started the fire.
Does this ruling set precedence?
Whilst other Owners’ Corporations may see this ruling as an opportunity (or back up) to resolve their non-compliant cladding issues, the Judge stated they should not see it as setting any precedent.
"Many of my findings have been informed by the particular contracts between the parties in this case and by events occurring in the course of the Lacrosse project that may or may not be duplicated in other building projects," said Judge Woodward.
If you'd like to discuss how conducting due diligence from an engineering perspective helps make diligent decisions that are effective, safe and compliant, contact us for a chat.
In October and November (2018), I presented due diligence concepts at four conferences: The Chemeca Conference in Queenstown, the ISPO (International Standard for maritime Pilot Organizations) conference in Brisbane, the Australian Airports Association conference in Brisbane (with Phil Shaw of Avisure) and the NZ Maritime Pilots conference in Wellington.
The last had the greatest representation of overseas presenters. In particular, Antonio Di Lieto, a senior instructor at CSMART, Carnival Corporation's Cruise ship simulation centre in the Netherlands. He mentioned that:
a recent judgment in Italian courts had reinforced the paramountcy of the due diligence approach but in this instance within the civil law, inquisitorial legal system.
Australian guidance for gas and liquid petroleum pipeline design guidance comes, to a large extent, from Australian Standard 2885. Amongst other things AS2885 Pipelines – Gas and liquid petroleum sets out a method for ensuring these pipelines are designed to be safe.
Like many technical standards, AS2885 provides extensive and detailed instruction on its subject matter. Together, its six sub-titles (AS2885.0 through to AS2885.5) total over 700 pages. AS2885.6:2017 Pipeline Safety Management is currently in draft and will likely increase this number.
In addition, the AS2885 suite refers to dozens of other Australian Standards for specific matters.
In this manner, Standards Australia forms a self-referring ecosystem.
R2A understands that this is done as a matter of policy. There are good technical and business reasons for this approach;
However, this hall of mirrors can lead to initially small issues propagating through the ecosystem.
At this point, it is worth asking what a standard actually is.
In short, a standard is a documented assembly of recognised good practice.
What is recognised good practice?
Measures which are demonstrably reasonable by virtue of others spending their resources on them in similar situations. That is, to address similar risks.
But note: the ideas contained in the standard are the good practice, not the standard itself.
And what are standards for?
Standards have a number of aims. Two of the most important being to:
That is, standards help people predict and manage the future – people such as engineers, designers, builders, and manufacturers.
When helping people not make decisions, standards provide standard requirements, for example for design parameters. These standards have already made decisions so they don’t need to be made again (for example, the material and strength of a pipe necessary for a certain operating pressure). These are one type of standard.
The other type of standard helps people make decisions. They provide standardised decision-making processes for applications, including asset management, risk management, quality assurance and so on.
Such decision-making processes are not exclusive to Australian Standards.
One of the more important of these is the process to demonstrate due diligence in decision-making – that is that all reasonable steps were taken to prevent adverse outcomes.
This process is of particular relevance to engineers, designers, builders, manufacturers etc., as adverse events can often result in safety consequences.
A diligent safety decision-making process involves,:
This addresses the legal obligations of engineers etc. under Australian work health and safety legislation.
Standards fit within this due diligence process as examples of recognised good practice.
They help identify practicable options (the second step) and the help in determining the reasonableness of these measures for the particular issues at hand. Noting the two types of standards above, these measures can be physical or process-based (e.g. decision-making processes).
Each type of standard provides valuable guidance to those referring to it. However the combination of the self-referring standards ecosystem and the two types of standards leads to some perhaps unintended consequences.
Some of these arise in AS2885.
One of the main goals of AS2885 is the safe operation of pipelines containing gas or liquid petroleum; the draft AS2885:2017 presents the standard's latest thinking.
As part of this it sets out the following process.
If the risk is not acceptable, apply more controls until it is and then move on with the project. (See e.g. draft AS2885.6:2017 Appendix B Figures B1 Pipeline Safety Management Process Flowchart and B2 Whole of Life Pipeline Safety Management.)
But compare this to the decision-making process outlined above, the one needed to meet WHS legislation requirements. It is clear that this process has been hijacked at some point – specifically at the point of deciding how safe is safe enough to proceed.
In the WHS-based process, this decision is made when there are no further reasonable control options to implement. In the AS2885 process the decision is made when enough controls are in place that a specified target level of risk is no longer exceeded.
The latter process is problematic when viewed in hindsight. For example, when viewed by a court after a safety incident.
In hindsight the courts (and society) actually don’t care about the level of risk prior to an event, much less whether it met any pre-determined subjective criteria.
They only care whether there were any control options that weren’t in place that reasonably ought to have been.
‘Reasonably’ in this context involves consideration of the magnitude of the risk, and the expense and difficulty of implementing the control options, as well as any competing responsibilities the responsible party may have.
The AS2885 risk sign-off process does not adequately address this. (To read more about the philosophical differences in the due diligence vs. acceptable risk approaches, see here.)
To take an extreme example, a literal reading of the AS2885.6 process implies that it is satisfactory to sign-off on a risk presenting a low but credible chance of a person receiving life-threatening injuries by putting a management plan in place, without testing for any further reasonable precautions.
In this way AS2885 moves away from simply presenting recognised good practice design decisions as part of a diligent decision-making process and, instead, hijacks the decision-making process itself.
In doing so, it mixes recognised good practice design measures (i.e. reasonable decisions already made) with standardised decision-making processes (i.e. the AS31000 risk management approach) in a manner that does not satisfy the requirements of work health and safety legislation. The draft AS2885.6:2017 appears to realise this, noting that “it is not intended that a low or negligible risk rank means that further risk reduction is unnecessary”.
And, of course, people generally don’t behave quite like this when confronted with design safety risks.
If they understand the risk they are facing they usually put precautions in place until they feel comfortable that a credible, critical risk won’t happen on their watch, regardless of that risk’s ‘acceptability’.
That is, they follow the diligent decision-making process (albeit informally).
But, in that case, they are not actually following the standard.
This raises the question:
Is the risk decision-making element of AS2885 recognised good practice?
Our experience suggests it is not, and that while the good practice elements of AS2885 are valuable and must be considered in pipeline design, AS2885’s risk decision-making process should not.
 AS2885.6 Section 5:
“... the risk associated with a threat is deemed ALARP if ... the residual risk is assessed to be Low or Negligible”
Consequences (Section 3 Table F1):
Severe - “Injury or illness requiring hospital treatment”. Major: “One or two fatalities; or several people with life-threatening injuries”. So one person with life-threatening injuries = ‘Severe’?
Likelihood (Section 3 Table 3.2):
“Credible”, but “Not anticipated for this pipeline at this location”,
Risk level (Section 3 Table 3.3):
Required action (Section 3 Table 3.4):
“Determine the management plan for the threat to prevent occurrence and to monitor changes that could affect the classification”.
The first REBoK session, delivered by Warren Black, considered the domain of risk and risk engineering in the context risk management generally. It described the commonly available processes and the way they were used.
Following the initial presentation, Warren was joined by R2A Partner, Richard Robinson and Peter Flanagan to answer participant questions. Richard was asked to (again) explain the difference between ALARP (as low as reasonably practicable) and SFAIRP (so far as is reasonably practicable).
The difference between ALARP and SFAIRP and due diligence is a topic we have written about a number of times over the years. As there continues to be confusion around the topic, we thought it would be useful to link directly to each of our article topics.
Does ALARP equal due diligence, written August 2012
Does ALARP equal due diligence (expanded), written September 2012
Due Diligence and ALARP: Are they the same?, written October 2012
SFAIRP is not equivalent to ALARP, written January 2014
When does SFAIRP equal ALARP, written February 2016
Future REBoK sessions will examine how the risk process may or may not demonstrate due diligence.
Due diligence is a legal concept, not a scientific or engineering one. But it has become the central determinant of how engineering decisions are judged, particularly in hindsight in court.
It is endemic in Australian law including corporations law (eg don’t trade whilst insolvent), safety law (eg WHS obligations) and environmental legislation as well as being a defence against (professional) negligence in the common law.
From a design viewpoint, viable options to be evaluated must satisfy the laws of nature in a way that satisfies the laws of man. As the processes used by the courts to test such options forensically are logical and systematic and readily understood by engineers, it seems curious that they are not more often used, particularly since it is a vital concern of senior decision makers.
Stay tuned for further details about upcoming sessions. And if you are needing clarification around risk, risk engineering and risk management, contact us for a friendly chat.
Arising from an expert witness commission, relevant counsel has directed R2A’s attention to Makita (Australia) Pty Ltd v Sprowles [2001} NSWCA 305 (14 September 2001), which provides an excellent review of the role and responsibility of an expert witness, at least in NSW. (more…)
Disclosure: Tim Procter worked in Arup’s Melbourne office from 2008 until 2016.
Shortly after Christmas a number of media outlets reported that tier one engineering consulting firm Arup had settled a major court case related to traffic forecasting services they provided for planning Brisbane’s Airport Link tunnel tollway. The Airport Link consortium sued Arup in 2014, when traffic volumes seven months after opening were less than 30% of that predicted. Over $2.2b in damages were sought; the settlement is reportedly more than $100m. Numerous other traffic forecasters on major Australian toll road projects have also faced litigation over traffic volumes drastically lower than those predicted prior to road openings.
Studies and reviews have proposed various reasons for the large gaps between these predicted and actual traffic volumes on these projects. Suggested factors have included optimism bias by traffic forecasters, pressure by construction consortia for their traffic consultants to present best case scenarios in the consortia’s bids, and perverse incentives for traffic forecasters to increase the likelihood of projects proceeding past the feasibility stage with the goal of further engagements on the project.
Of course, some modelling assumptions considered sound might simply turn out to be wrong – however, Arup’s lead traffic forecaster agreeing with the plaintiff’s lead counsel that the Airport Link traffic model was “totally and utterly absurd”, and that “no reasonable traffic forecaster would ever prepare” such a model indicates that something more significant than incorrect assumptions were to blame.
Regardless, the presence of any one of these reasons would betray a fundamental misunderstanding of context by traffic forecasters. This misunderstanding involves the difference between risk and criticality, and how these two concepts must be addressed in projects and business.
In Australia risk is most often thought of as the simultaneous appreciation of likelihood and consequence for a particular potential event. In business contexts the ‘consequence’ of an event may be positive or negative; that is, a potential event may lead to better or worse outcomes for the venture (for example, a gain or loss on an investment).
In project contexts these potential consequences are mostly negative, as the majority of the positive events associated with the project are assumed to occur. From a client’s point of view these are the deliverables (infrastructure, content, services etc.) For a consultant such as a traffic forecaster the key positive event assumed is their fee (although they may consider the potential to make a smaller profit than expected).
Likelihoods are then attached to these potential consequences to give a consistent prioritisation framework for resource allocation, normally known as a risk matrix. However, this approach does contain a blind spot. High consequence events (e.g. client litigation for negligence) are by their nature rare. If they were common it is unlikely many consultants would be in business at all. In general, the higher the potential consequence, the lower the likelihood.
This means that potentially catastrophic events may be pushed down the priority list, as their risk (i.e. likelihood and consequence) level is low. And, although it may be very unlikely, small projects undertaken by small teams in large consulting firms may have the potential to severely impact the entire company. Traffic forecasting for proposed toll roads appears to be a case in point. As a proportion of income for a multinational engineering firm it may be minor, but from a liability perspective it is demonstrably critical, regardless of likelihood.
There are a range of options available to organisations that wish to address these critical issues. For instance, a board may decide that if they wish to tender for a project that could credibly result in litigation for more than the organisation could afford, the project will not proceed unless the potential losses are lowered. This may be achieved by, for example, forming a joint venture with another organisation to share the risk of the tender.
Identifying these critical issues, of course, relies on pre-tender reviews. These reviews must not only be done in the context of the project, but of the organisation as a whole. From a project perspective, spending more on delivering the project than will be received in fees (i.e. making a loss) would be considered critical. For the Board of a large organisation, a small number of loss-making projects each year may be considered likely, and, to an extent, tolerable. But the Board would likely consider a project with a credible chance, no matter how unlikely, of forcing the company into administration as unacceptable.
This highlights the different perspectives at the various levels of large organisations, and the importance of clear communication of each of their requirements and responsibilities. If these paradigms are not understood and considered for each project tender, more companies may find themselves in positions they did not expect.
Also published on:
It’s hard to believe that 2017 is coming to a close and 2018 is almost here. As part of our end of year wrap up, here are some of the highlights that we would like to share with you.
Engineering is the business of changing things, ostensibly for the better. The change aspect is not contentious. Who decides what’s ‘better’ is the primary source of mischief.
In a free society, this responsibility is morally and primarily placed on the individual, subject always to the caveat that you shouldn’t damage your neighbours in the process. Otherwise you can pursue personal happiness to your heart’s content even though this often does not make you as happy as you’d hoped. And it becomes rapidly more complex once collective cooperation via immortal legal entities known as corporations came to the fore as the best way to generate and sustain wealth. This is particularly significant for engineers as the successful implementation of big ideas requires large scale cooperative effort to the possible detriment of other collectives.
The rule of law underpins the whole social system. It is the method by which harm to others is minimised consistent with the principle of reciprocity (the golden rule – do unto others as you would have done unto you) prevalent in successful, prosperous societies. In Australia it has been implemented via the common law and increasingly, in statute law. Company directors, for example, have to be confident that debts can be paid when they fall due (corporations law), workers (and others) should not be put unreasonably at risk in the search for profits (WHS law) and the whole community should be protected against catastrophic environmental harm (environmental legislation). It is unacceptable for drink-drivers to kill and injure others, the vulnerable to be exploited or the powerful to be immune from prosecution. Everyone is to be equal before the law.
Provided such outcomes are achieved, the corporation and the individuals within them are pretty much free to do as they please. Monitoring all these constraints and ensuring the balance between individual freedoms and unreasonable harm (safety, environmental and financial) to others has become the primary focus of our legal system.
But the world is a complex place and its difficult to be aways right particularly when dealing with major projects. But it is entirely proper to try to be right within the limits of human skill and ingenuity. The legal solution to address all this has been via the notion of ‘due diligence’ and the ‘reasonable person’ test.
Analysing complex issues in a way that is transparent to an entire organisation, the larger society and, if necessary, the courts can be perplexing. Challenges arise in organisations when there are competing ideas of better, meaning different courses of action all constrained with finite resources. This EDD workshop provides a framework for the various internal and external stakeholders to listen to, understand and decide on the optimal course of action taking into account safety, environmental, operational, financial and other factors.
To be ‘safe’, for example, requires that the laws of nature be effectively managed, but done in a way that satisfies the laws of man, in that order.
The learning method at the R2A & EEA public workshops follows a form of the Socratic ‘dialogue’. Typical risk issues and the reasons for their manifestation are articulated and exemplar solutions presented for consideration. The resulting discussion is found to be the best part for participants as they consider how such approaches might be used in their own organisation or project/s.
Current risk issues of concern and exemplar solutions include:
Participants are also encouraged to raise issues of concern. To enable open discussion and explore possible solutions, the Chatham House Rule applies to participants’ remarks meaning everyone is free to use the information received without revealing the identity or affiliation of the speaker.