Implications for Designers of the Engineers Australia Safety Case Guideline (3rd Edition)

Session Four: Implications for Designers of the Engineers Australia Safety Case Guideline

Elwctrical Regulatory Compliance Forum 1

Session Four: Implications for Designers of the Engineers Australia

Safety Case Guideline (3rd Edition)

Gaye Francis and Richard Robinson Directors, R2A Due Diligence Engineers

Introduction The 3rd Revision of the Engineers Australia Safety Case Guideline is in draft form. It extends the precautionary common law safety case concept of the two earlier editions (2002 and 2007) to consider how the safety case can be used as a tool to positively demonstrate safety due diligence consistent with the provisions of the model Work Health and Safety (WHS) legislation that has commenced all Australian jurisdictions except, at the time of writing, Western Australia and Victoria. The Guideline outlines shift from hazard based risk assessment supported by the risk management standard to the precautionary due diligence approach now mandated by most Australian parliaments. Such a change has significant implications for designers, especially in the use of standards that use target levels of risk and safety such as EG(0) Power System Earthing Guide and IEC 61508 the Functional Safety Assessment standard as a design tool. Any design that relies on a process that is specifically rejected by statute will provide for serious legal difficulties. And in the event of a fatality, a beyond reasonable doubt proof of recklessness would be available, which is expected to lead to criminal charges for responsible officers of designer PCBUs (person conducting a business or undertaking). Much of the subject of this paper was also presented in an IDC 2011 conference1 before the commencement of the WHS act in Australian jurisdictions. The authors have since tested the position described in this paper with many lawyers and in-house legal counsel, to the unanimous approval of them all.

1 Gaye E Francis and Richard M Robinson (2011). Power Safety Due Diligence. Proceedings of the IDC “Power System Protection & Earthing Forum“. Perth. 23-24 November 2011.



System of Law in Australia There are two basic kinds of laws in Australia: statute law, which is made by a Parliament consisting of democratically elected members, and common law, which is law made by judges when deciding cases2. Statute law (also called legislation) may be made by the Commonwealth Parliament, or by the Parliament of a State or Territory. Common law has its origins in England in the 12th century, before there was any Parliament in England, when the King of England at that time (Henry II) appointed members of his court to hear complaints and do justice on his behalf. Judges making decisions drew on their notions of justice or fairness, sometimes customs or traditions, sometimes Roman law. Reasons for judges’ decisions were recorded, and this body of case law, known as the common law, became the most important source of law for judges. In time, judges considered themselves to be bound to follow the precedents set by other judges in earlier cases. The High Court of Australia is the highest court in the Australian judicial system. It was established in 1901 by Section 71 of the Constitution3. The functions of the High Court are to interpret and apply the law of Australia; to decide cases of special federal significance including challenges to the constitutional validity of laws and to hear appeals, by special leave, from Federal, State and Territory courts. Australia inherited the common law system from the UK. And with the passage of the Australia Acts of the1980s eliminating appeals to the Privy Council, the High Court of Australia become the ultimate ‘reference’ for Australian case law. In Australia court cases are conducted under the adversarial system in which the court is asked to adjudicate upon ‘issues’ put forward by the parties upon evidence adduced by the parties. The presiding judge has no power of inquiry (the ‘inquisitorial system’), unlike courts in parts of Europe4. There are several points about the adversarial system that need to be remembered. It is first and foremost a court of law. And the courts are always right even when they are in error as the decisions of appellate courts reveal. And, as the Engineers Australia notes in the brochure Are You at Risk5 (1990):

Adversarial courts are not about dispensing justice, they are about winning actions.

In this context, the advocates are not concerned with presenting the court with all the information that might be relevant to the case. Quite the reverse, each seeks to exclude information considered to be unhelpful to their side's position.

2 Adapted from: http://www.austlii.edu.au/au/other/liac/hot_topic/hottopic/2002/3/1.html viewed 5 April 2013. 3 Adapted from: http://www.hcourt.gov.au/about/role-of-the-high-court viewed 28 April 2013. 4 http://www.nswbar.asn.au/docs/resources/publications/structure.pdf viewed 5 April 2013. 5 Institution of Engineers, Australia (1990). Are You at Risk? Canberra.



The idea is that the truth lies somewhere between the competing positions of the advocates. Further, courts do not deal in facts, they deal in opinions. Again from Are You at Risk:

What is a fact? Is it what actually happened between Sensible and Smart? Most emphatically not. At best, it is only what the trial court - the trial judge or jury - thinks happened. What the trial court thinks happened may, however, be hopelessly incorrect. But that does not matter - legally speaking.

That is, in court, the laws of man take precedence over the laws of nature6, which can be particularly astonishing to engineers. In the adversarial system innocence must be assumed or there is no case to try. If the defendant pleads guilty, for example, the case stops immediately other than for the determination of the penalty. Engineering Due Diligence Due diligence (or care) is a legal concept, derived from the societal need to ensure fairness in dealings between human beings. It has been variously defined, for example: The diligence reasonably expected from, and ordinarily exercised by, a person who seeks to satisfy a legal requirement or obligation7 and, A minimum standard of behaviour which provides against contravention of relevant regulatory provisions and adequate supervision ensuring that the system is properly carried out.8 Such legal obligations can be created in the common law or by statute law as has occurred with the commencement of the Model Work Health and Safety (WHS) Act (2011) in most Australian jurisdictions. One immediate reaction to such a definition is to institute a legal and regulatory compliance audit. The difficulty with this approach to safety (meaning a lack of harm) is that in a complex industrial society mere compliance with legislation and all the regulations made by regulators under such legislation will not necessarily make any particular situation or circumstance safe in reality. To be safe requires that the laws of nature be managed competently prior to compliance with the laws of man.

6 For example, in Turner vs The State of South Australia (1982) (HCA), the judges in the High Court of Australia, when discussing why a lower court might have come to a particular judgement noted that: It is possible that their Honours were also influenced by the opinion of an orthopaedic surgeon, Mr Jose, that the upward force to required to raise a 400 lb drum from the prone to the upright position was 400 lbs. That evidence which was set out in the judgement of Williams J at the first instance is plainly mistaken. The upward force required to up-end a drum, with the bottom rim remaining on the ground, is an initial force of approximately 200 lbs which progressively decreases as the top end is raised. 7 Black’s Law Dictionary, 4th Edition (2009) 8 LexisNexis Concise Australian Legal Dictionary, 4th Edition (2011)



Engineering due diligence is about overcoming this practical difficulty by ensuring that the laws of nature and the laws of man simultaneously align. Logically and practically, in order to be safe, it is better to manage the laws of nature first and then to confirm that the requirements of the laws of man have been met, rather than the other way around. Common Law Due Diligence Due diligence has been a primary defence against the tort (or wrong) of negligence in the common law. In this context, what constitutes due diligence in Australian case law has been established in a decision of the High Court of Australia. In an appeal to the High Court from the Court of Appeal of the Supreme Court of NSW9, Stephen J noted: This appeal involves interpretation of the Hague Rules. During heavy weather in the Great Australian Bight, the severity of which was unusual but not unforeseeable, a number of drums of cleaning solvent stowed in a ship's hold broke adrift, were damaged and their contents lost. The means of securing them in place in the hold had been inadequate. Under the Hague Rules (to which Australia is a signatory), Article IV Rights and Immunities states:

1. Neither the carrier nor the ship shall be liable for loss or damage arising or resulting from unseaworthiness unless caused by want of due diligence on the part of the carrier to make the ship seaworthy, and to secure that the ship is properly manned, equipped and supplied...

Whenever loss or damage has resulted from unseaworthiness, the burden of proving the exercise of due diligence shall be on the carrier or other person claiming exemption under the section.

Reynolds J.A. summed up the conclusion of the Court of Appeal of the Supreme Court of NSW in the following words:

Loss or damage does not arise or result from perils of the sea where negligence is a concurrent cause. Where negligence allows or facilitates the perils of the sea to inflict damage on cargo, then in all relevant respects the loss or damage arises or results from the negligence. The perils of the sea must be guarded against by the use of due care.

The judges of the High Court unanimously dismissed an appeal to the High Court and supported the view of the NSW Court of Appeal summarised by Reynolds J.A. above. And when 10 superior court judges unanimously agree on a particular point then this is robust case law and unlikely to change in the near future.

9 Shipping Corporation of India Ltd v Gamlen Chemical Co. A/Asia Pty Ltd [1980] HCA 51; (1980) 147 CLR (12 December 1980)



Model WHS Act (Statutory) Due Diligence The model WHS Act10 has commenced in most Australian jurisdictions, presently excepting Western Australia and Victoria. The act requires that responsible officers of PCBU’s (persons conducting a business or undertaking) to positively demonstrate safety due diligence. Penalties are criminal in nature and can provide for up to 5 years jail for responsible officers for recklessness (knew or made or let it happen). These responsibilities cannot be delegated, although as a statutory invocation, such charges must be proved beyond reasonable doubt. The meaning of due diligence is considered in Part 2, Division 4 (27) of the model WHS Act:

(5) In this section, due diligence includes taking reasonable steps: (a) to acquire and keep up-to-date knowledge of work health and safety

matters; and (b) to gain an understanding of the nature of the operations of the business

or undertaking of the person conducting the business or undertaking and generally of the hazards and risks associated with those operations; and

(c) to ensure that the person conducting the business or undertaking has available for use, and uses, appropriate resources and processes to eliminate or minimise risks to health and safety from work carried out as part of the conduct of the business or undertaking; and

(d) to ensure that the person conducting the business or undertaking has appropriate processes for receiving and considering information regarding incidents, hazards and risks and responding in a timely way to that information; and

(e) to ensure that the person conducting the business or undertaking has, and implements, processes for complying with any duty or obligation of the person conducting the business or undertaking under this Act; and

(f) to verify the provision and use of the resources and processes referred to in paragraphs (c) to (e).

The first approved draft of the model act left due diligence to be determined by case law. The next cut defined due diligence to be the six points listed above. The third and subsequent revisions advised that due diligence includes... these six points. This single word change is perhaps significant. For example, the Workcover NSW11 authority advises that, exercising due diligence includes, but is not

10 Model Work Health and Safety Act (revised draft 23 June 2011) as viewed at http://www.safeworkaustralia.gov.au/sites/swa/about/publications/pages/model-work-health-safety-act-23-june-2011 on 5 April 2013. Note that each jurisdiction has implemented the legislation slightly differently although the general principles remain consistent. For example, the NSW uniquely imposes strict liability (Clause 12A). 11 WorkCover NSW, http://www.workcover.nsw.gov.au/newlegislation2012/Directorsandofficers/Pages/Duediligence.aspx, viewed 19 Oct 2012.



limited to: the six points listed above. The Australian government has provided the following definition in “Guidance for Officers in Exercising Due Diligence”12 under the WHS act:

Due diligence – in the context of work health and safety – means taking every precaution that is reasonable in the circumstances to protect the health, safety and welfare of all workers and others who could be put at risk from work carried out as part of the business or undertaking.

Reasonably Practicable According to the model WHS Act (Part 2, Division 1, Section 17)

A duty imposed on a person to ensure health and safety requires the person: (a) to eliminate risks to health and safety, so far as is reasonably

practicable; and (b) if it is not reasonably practicable to eliminate risks to health and safety,

to minimise those risks so far as is reasonably practicable. The meaning of reasonably practicable is defined in Subdivision 2:

18 What is reasonably practicable in ensuring health and safety? In this Act, reasonably practicable, in relation to a duty to ensure health and

safety, means that which is, or was at a particular time, reasonably able to be done in relation to ensuring health and safety, taking into account and weighing up all relevant matters including:

(a) the likelihood of the hazard or the risk concerned occurring; and (b) the degree of harm that might result from the hazard or the risk; and (c) what the person concerned knows, or ought reasonably to know, about: (i) the hazard or the risk; and (ii) ways of eliminating or minimising the risk; and (d) the availability and suitability of ways to eliminate or minimise the risk;

and (e) after assessing the extent of the risk and the available ways of

eliminating or minimising the risk, the cost associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk.

In other words (quoting Barry Sherriff13, one of the lawyers who helped draft the legislation), the model WHS Act:

Simply makes clear that you start with what can be done and only do less where it is reasonable to do so.

12 Guidance for Officers in Exercising Due Diligence, Australian government, http://www.comcare.gov.au/WHS/guidance_and_resources/guidance/guidance_for_officers_in_exercising_due_diligence/due_diligencewhere_to_start_and_what_does_it_mean_to_you viewed 1 April 2013. 13 Barry Sherriff (March 2011) from a presentation to Engineers Australia, Brisbane.



Hazard to precaution based risk management The traditional way to address safety risk is to:

• Identify the hazards • Characterise the risk (likelihood and consequence) associated

with each hazard • Compare this risk to tolerable or acceptable risk criteria or targets • If the criteria are not satisfied, then to implement controls

(precautions or mitigations) until they are. Such an approach has never satisfied common law judicial scrutiny. The diagram below shows the difference between the two approaches, especially for high consequence, low likelihood events. The top loop describes the traditional hazard focused analysis listed above. If the technical risk target were achieved in reality, the hazards of concern would not eventuate in the analyst’s lifetime. But this is not the way of the world. Sometimes bad things will happen and the courts will examine the results.

Judicial Scrutiny

TimeDecision re hazard Unwanted Event/s Judgement

Precaution focussed

Hazard focussed

Future uncertainty

Future uncertainty

Technical risk

targets

Safety critical

Hazard vs Precaution focussed risk management14

The bottom loop describes the precautionary legal process applied by the courts. This is necessarily hindsight biased. The courts simply do not care how often matters went well. By definition, the courts only examine the minority of things that went wrong. After the event, the fact is certain. This means that, from the court’s viewpoint, prior-to-the-event estimates of rarity for serious events were presumably flawed and that, prima facie, those who made such estimates have provided beyond-reasonable doubt proof of negligence. As a judge in NSW has been reported as saying to engineers after a major accident:

What do you mean you did not think it could happen? There are 7 dead.

14 Robinson Richard M, Gaye E Francis, Peter Hurley et al (2013). Risk and Reliability: Engineering Due Diligence (9th Edition). R2A Pty Ltd. Page 26



The way the courts assess the situation is to consult post-event expert witnesses as to what could have been done to have prevented the disaster. Being an expert with the advantage of hindsight is a comparatively straight forward task. The only time the notion of risk is used in court is when the court is testing to see if the precautions suggested by such experts (after the event) were reasonable in view of what was known at the time of the decision. SFAIRP vs ALARP The diagram below describes the two approaches in a different way. The left hand side of the loop describes the legal approach which results in risk being eliminated or minimised so far as is reasonably practicable (SFAIRP) as described in the model WHS legislation.

Risk Management of downside (negative or pure) risk

Hazard identification(Foreseeability)

Implementationof reasonably practicable

precautions

PreventabilityIdentify all practicable

precautions for each critical hazard following the hierarchy

of controls

Reasonableness Determine which practicable precautions are reasonable

based on the High Court established balance (disproportionality)

Hazard analysis and risk calculationprocess to determine the nature of risk

and the level of risk(inherently unrepeatable)

Compare against criteriaprocess of comparing the results of risk

analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable

(may eliminate further consideration of acceptable or tolerable risks)

Selected risk criteriaterms of reference against which the

significance of a risk is evaluated (inherently subjective)

Risk mitigation and management optionsprocess to modify risk.

(may not follow the hierarchy of controls)

Monitoring and Review(Quality assurance)

Due Diligence

Common law approach(precaution based and criticality driven)

Target risk approach(hazard based and risk driven)

SFAIRP ALARP

CriticalityEstablish critical

hazards

Precaution vs hazard based approaches to risk management15

The hazard based loop, shown on the right hand side, attempts to demonstrate that risk is as low as reasonably practicable or ALARP. But there are major difficulties with each step of this approach as noted in blue. Firstly, hazard analysis and risk calculations are inherently unrepeatable. Two independent risk experts assessing the same circumstances or situation never come up with the same answer (unless they use deliberately identical assumptions and processes in which case the assessment is not independent).

15 Robinson Richard M, Gaye E Francis, Peter Hurley et al (2013). Risk and Reliability: Engineering Due Diligence (9th Edition). R2A Pty Ltd. Page 167.



Risk calculations and characterisations to enable a comparison with risk criteria are always imperfect especially with regard to human failings and management systems. Quoting Mark Tweeddale16:

In the case of the process industry, most of the major disasters in recent years have resulted primarily from failures of management systems, which would not have been included in the quantitative assessment of risk, and not from random equipment failures such as are statistically assessable using data from data banks. This is a most serious limitation...

Secondly, risk criteria are subjective. The old adage should probably be extended to; there are lies, damned lies, statistics and then there are target risk criteria. Most risk criteria are based on statistical analyses. The traditional way to determine them is to consider mortality and injury statistics. But they are just that, statistics. The numbers change according to the exposed group selected. For example, the lightning strike death rate of around 1 in 10 million (for the whole population) is often selected as the lower limit to risk scrutiny for individual risk. However, if the mortality figures for the group of people who play golf during lightning storms is considered, it will be much higher. Which number ought to be used? Further, the inconsistency in individual and societal risk criteria between states, especially Victoria and NSW dating from the mid-nineties is problematic. Thirdly, if the risk associated with a hazard is below acceptable or tolerable threshold, there is a tendency to say that nothing further needs to be done, which is always problematic with low frequency, high severity events. The overall situation is perhaps best summarised by Chief Justice Gibbs of the High Court of Australia17:

Where it is possible to guard against a foreseeable risk, which, though perhaps not great, nevertheless cannot be called remote or fanciful, by adopting a means, which involves little difficulty or expense, the failure to adopt such means will in general be negligent.

That is, it does not matter how low the risk estimate is, if more can be done for very little effort, then the failure to so will be negligent, in the event of an incident This leads to the fourth concern; that the temptation is to implement a precaution that reaches the target risk threshold without formally considering the hierarchy of controls.

16 Tweeddale, M., 2003. Managing Risk and Reliability of Process Plants. Boston: Gulf Professional Publishing. 17 Turner v. The State of South Australia (1982) High Court of Australia before Gibbs CJ, Murphy, Brennan, Deane and Dawson JJ).



The hazard based approach seems to address its legal limitations with regard to mitigations by adding caveats, for example from the NSW Land Use Safety Planning Guidelines18:

While it is useful to have objective, quantitative risk criteria, qualitative principles are equally important. These include: 1. all ‘avoidable’ risks should be avoided; 2. particular attention needs to be given to eliminating or reducing major

hazards, irrespective of whether numerical criteria are met; and 3. as far as possible, the consequences of significant events should be

kept within facility boundaries. The legal system (which requires a demonstration of due diligence following the left hand side of the diagram) does not have this problem. As Andrew Hopkins19 notes:

At law, employers must drive down risks as far as is reasonably practicable, and there is no level of risk which, a priori, can be said to be acceptable. Moreover, the law has a well-defined set of principles for determining whether risks are as low as reasonably practicable, and despite the indeterminacy of these principles, it is by no means clear that QRA and the tolerability / acceptability framework offers a better way of deciding how low is low enough.

All this was not a legal issue whilst relevant statute law enabled the hazard based approach, as statute law always takes precedence over the common law. However, once the legal concept of due diligence is called up by statute via the model WHS act the issue can no longer be side stepped. The point of the shift is to ensure that all reasonable practicable precautions are in place rather than to achieve an indefensible tolerable or acceptable level of risk or safety, which is a typical result of the hazard based approach. As Carveth Read20 put it in 1898:

It is better to be vaguely right than exactly wrong.

18 NSW Department of Planning (2011). HIPAP 4: Risk Criteria for Land Use Safety Planning. Page 3. Downloaded 5 April 2013 from: http://www.planning.nsw.gov.au/LinkClick.aspx?fileticket=mEA7owrSNTg%3d&tabid=168&language=en-AU. 19 Andrew Hopkins (2005). Safety, Culture and Risk. The Organisational Causes of Disasters. CCH Australia. p 137. 20 Carveth Read, Logic, deductive and inductive (1898).



Due Diligence vs the Risk Management Standard This shift is from a hazard based risk assessment approach (which appears to be encouraged by the risk management standard ISO 3100021) to the precautionary due diligence approach (encouraged by the common law and now the model WHS act), summarised in the table below.

Precaution based Due Diligence ≠ Hazard based ISO 31000 Precaution focused by testing all practicable precautions for reasonableness, that is, on the balance of the significance of the risk vs. the effort required to reduce it.

Hazard focused by comparison to acceptable or tolerable target levels of risk22

Establish the context Risk assessment (precaution based): Identify credible, critical issues Identify precautionary options Risk-effort balance evaluation Risk action (treatment)

Establish the context Risk assessment (hazard based): (Hazard) risk identification (Hazard) risk analysis (Hazard) risk evaluation Risk treatment

Criticality driven Usual interpretation of WHS Act & common law.

Risk (likelihood and consequence) driven Usual interpretation of AS/NZS ISO 31000

A paradigm shift from hazard to precaution based risk assessment

The point of the shift is to ensure that all reasonable practicable precautions are in place (that is, so that risks are eliminated or minimised so far as is reasonably practicable or SFAIRP), rather than to achieve an indefensible target level of risk or safety (like ALARP), which is a typical result of the hazard based approach. The hazard based approach is all about inputs whilst the precaution based approach is all about outputs which is far more useful and productive. That is, not only are the requirements of the legislation met, it actually provides for superior safety outcomes more efficiently.

21 Standards Australia & Standards New Zealand, 2009. Risk Management Principles and Guidelines AS/NZS ISO 31000:2009. Sydney. 22 From the definition in AS/NZS ISO 31000: 2.24 risk evaluation process of comparing the results of risk analysis (2.21) with risk criteria (2.22) to determine whether the risk (2.1) and/or its magnitude is acceptable or tolerable.”



Implications for Designers If the arguments for the weaknesses of the hazard based approach (especially using acceptable or tolerable levels of risk) are accepted then the implications for designers in a great number of industries that deal with rare, high consequence events are profound. Two are described in the following sections, land use planning for major hazard industries and high voltage earthing. Land Use Planning Possibly the most unfortunate outcome of the use hazard based analysis using target risk criteria is in land use safety planning for hazardous chemical facilities.23 Firstly, if the criteria are not satisfied it tends to sterilise planning areas from development. From an engineering perspective at least, this is just silly. Any site has issues, including windstorm hazards, geotechnical and earthquake potentials, storm surge, flooding and inundation, lightning strike potentials etc. For the design to be successful, all these must be addressed. The fact that there is a chemical exposure is just another hazard to be managed. If in order to be safe, people wind up in an unaffordable, unattractive, air conditioned bunker, then it may be that the project will not proceed. But this will be for commercial reasons, not safety ones.

Major hazard facility

Calculated 10-6 pa risk contour

No special precautions

neededIncreasing precautionsExclusion zoneNormal building

standards apply

Credible worst case consequence contour

Target risk level approach Precautionary approach

Precautionary vs target risk level approach to land use planning

Secondly, it ignores rare, catastrophic hazards. For example, if a plot of the over-pressures at Buncefield (an unconfined vapour cloud that detonated in the UK in 2005) were to be mapped to any major hazard fuel farm in Australia, the area that can cause fatalities is huge. But although monstrous, this is historically a very rare event. If the event is discounted by the unlikelihood of its occurrence (at say 1 x 10-9 pa) in accordance with the risk target approach (typically 1 x 10-6 pa or 3 orders of magnitude larger) it is a much smaller area.

23 Robinson Richard M, Gaye E Francis, Peter Hurley et al (2013). Risk and Reliability: Engineering Due Diligence (9th Edition). R2A Pty Ltd. Page 169



Under most current planning regimes, structures developed beyond such 10-6 pa individual risk contours need only be building code compliant. No building is permitted closer to the major hazard facility. The diagram above describes the concept. Adopting the precautionary approach to land use planning in these circumstances means that, the closer to the hazard a structure is, the greater the precautions need to be. In principle, provided the level of protection is high enough, there are no limits to where a structure could be built in relation to the major hazard facility presented above. For example, immediately adjacent to the explosion, the protection required may be a concrete bunker as death may result directly from the overpressure. The direct overpressure danger may be reduced at some distance but a house with laminated windows may be required to prevent glass shards shrapnelling occupants. Beyond the credible worst case contour no protection from this hazard is required. The QRA calculation of the risk contour is beneficial only in terms of determining the level of protection that is required at a given location, enabling the common law test of the balance of the significance of the risk vs the effort required to reduce it to be applied. For example, between the 10-6 pa risk contour and the credible worst case consequence contour the cost of the provision of sheet metal roofs and laminated glass windows rather than tiles and ordinary glass, especially for new structures is very, very small indeed. If buildings are permitted between the designated 10-6 pa individual risk contour and accelerative glass over-pressure limits without such precautions, and an (admittedly rare) explosion resulting in deaths or injuries occurs, then the responsible officers of PCBUs responsible for approving and building such structures (town planners, developers, architects, engineers, builders etc) may be found negligent under common law and criminally reckless under the provisions of the new WHS legislation (knew or made or let it happen). EG(0), The Power System Earthing Guide EG(0), the Power System Earthing Guide24 appears to define risk limit targets consistent with the NSW Department of Planning guidelines as shown in the table and figure below.

EG-0 Power System Earthing Guide—part 1: management principles version 1, May 2010

Page 16

4.4.5 Who should conduct a risk assessmentRisk assessments must be conducted by those who create and control the extent of the risk—the asset owners or those acting on their behalf. The personnel who bear responsibility for managing the risk assessments and the safety of both the public and work personnel will be hereafter referred to as 'duty holders'.

The duty holders must be able to access site specific data which may be used to form the basis of the assessment and are in an appropriate position to determine the risk treatment methods. The duty holders are also in the best position to conduct regular risk reassessments and ensure that risk treatment methods are implemented satisfactorily.

4.4.6 Risk limit targetsAny injury to or fatality of a worker or member of the public is unacceptable, however the inherent danger of electricity and disproportionate cost of protecting every individual from every conceivable hazard requires that some level of risk be tolerated. Risk targets set for environmental health and safety cases, while having an appearance of uniformity, are in fact greatly variable. The main variation concerns how uncertainty and variability in contributing parameters is managed. As for most decisions of this nature the outcome is contingent upon a wide range of issues, including: size of exposed populations, duty of care and legal precedence, physical implementation limitations, economic criteria, equity and fairness, stakeholder values and perceptions, physiological criteria, comparable risks existing.

It is important that sta! analysing a particular risk scenario are consistent in assigning values to parameters and interpreting the results of the risk quantification. To meet that goal this Guide aims to articulate assumptions and tools, and to provide both 'by hand' and software-based analysis tools. In setting risk criteria, the underlying principle is that people should not involuntarily be subject to a risk which is significant in relation to the background risk associated with what could be realistically expected to be 'normal movements'.

Individual and societal risk should be considered separately and the more stringent outcome used as the risk scenario to be managed. While an individual’s concern about their life or safety is largely independent of whether the risk is from an isolated incident or a major disaster, society’s risk perception is strongly influenced by events with potential for multiple injuries or fatalities [9].

4.4.6.1 Tolerable individual fatality risk limitsThe risk increase to which an individual may be inadvertently exposed may be calculated on an annual basis and assessed against the target fatality probability limits in common use Table 4-1 following (for example, NSW Risk Guidelines [8], [9], or WA EPA Guidelines [27]). The assessment is made considering the risk to a person who represents the maximum exposure that could be expected of a person acting reasonably. For a distribution of population behaviours from least to most risk attracting, maximum reasonable exposure is considered to be an estimate of the behaviour of 90 to 95 percent of the population.

Table 4-1: Target individual fatality probability limits

Probability of single fatality

Risk classi!cation for public death Resulting implication for risk treatment

" 10-4High or

Intolerable riskMust prevent occurrence regardless of costs.

10-4-10-6Intermediate or

ALARA RegionMust minimise occurrence unless risk reduction is impractical and costs are grossly disproportionate to safety gained.

#10-6Low or

Tolerable riskRisk generally acceptable, however, risk treatment may be applied if the cost is low and/or a normally expected practice.

EG-0 individual risk limits

24 Energy Networks Association Limited (2010). EG-0 Power System Earthing Guide. Part 1: Management Principles. Version 1 – May 2010. Canberra.



EG-0 Power System Earthing Guide—part 1: management principles version 1, May 2010

Page 18

Therefore it is understandable that the greater the number of people possibly exposed the higher the values. The value of 'F' on the 'Y' axis is therefore the highest value as it related to 'one or more' fatalities.

The boundary conditions on the ALARA Region have been aligned with those in common use within Australia relating to hazardous industries [11]. The position on the Y axis crossing and slope of the lines defining the upper and lower limits have been developed based upon the relative utility of the product (i.e. value of electricity to society), and experience in assessing risk profiles. A steeper gradient is sometimes used to assess incidents which might be considered to have an exceptional negative impact upon a large percentage of the population (for example, nuclear power plants, large dams). Nevertheless, the graph is interpreted in a similar manner to the individual risk assessment, where if part of the curve lies within each of the Regions the following steps should be taken.

» Intolerable Region—The risk profile must be reduced.

» ALARA Region—Reduce the risk profile whenever possible, and only accept the residual risk on the basis of a risk cost benefit analysis (RCBA) (see Appendix F). The use of the ALARA principle (or ALARP) is clearly intended to form a key part of the Due Diligence process embodied in this Guide. The ALARM principle that requires a designer and asset owner to reduce the risk profile whenever possible provides a consistent yet practical means for managing earthing system related risk.

» Low or tolerable Region—Risk generally acceptable, however, risk treatment may be applied if the cost is low and/or a normally expected practice.

Both the individual and societal hazard scenarios should be assessed and the risk profile of both managed depending upon the region in which the risk is placed (i.e. intolerable, ALARA, or neglibible).

It should be noted that when calculating societal risk, account should be taken of possible future increases in population density, particularly in cases where assets are in areas where there is surrounding residential land that has not yet been fully developed.

Figure 4-4: Societal F-N risk limits

4.4.7 New Zealand risk management approachA similar approach to risk assessment for earthing systems has been adopted in New Zealand and is outlined in the EEA Guide to Power System Earthing Practice. The New Zealand approach utilises a similar method for calculation of the coincidence probability and applies similar individual risk limits, but does not include probabilistic analysis in the calculation of design voltage limits.

EG-0 societal risk limits

» Intolerable Region—The risk profile must be reduced. » ALARA Region—Reduce the risk profile whenever possible, and only accept

the residual risk on the basis of a risk cost benefit analysis (RCBA) (see Appendix F). The use of the ALARA principle (or ALARP) is clearly intended to form a key part of the Due Diligence process embodied in this Guide. The ALARM principle that requires a designer and asset owner to reduce the risk profile whenever possible provides a consistent yet practical means for managing earthing system related risk.

» Low or tolerable Region—Risk generally acceptable, however, risk treatment may be applied if the cost is low and/or a normally expected practice.

Whilst the table has further caveats that consider some of the weaknesses of the hazard based approach to risk described in this paper, for example, in the low or tolerable region, the overall use of such target risk levels remains contrary SFAIRP approach of the model legislation. Such an approach is especially problematic in states like Queensland that have modified the provisions of the Electrical Safety Act to be entirely consistent with the provisions of the WHS act including penalties. The implications of this approach and how to positively demonstrate due diligence have been previously presented by the authors at an earlier IDC conference25 and is not repeated here.

25 Gaye E Francis and Richard M Robinson (2011). Power Safety Due Diligence. Proceedings of the IDC “Power System Protection & Earthing Forum“. Perth. 23-24 November 2011.



Conclusion In reality, to be safe means to be free from harm. In court, safe means that, despite something apparently unsafe having happened, due diligence has been demonstrated. In engineering terms this means that to be safe requires managing the laws of nature in a way that is consistent with the laws of man, in that order. The Engineers Australia Safety Case Guideline has always adopted the precautionary common law formulation for the demonstration of due diligence as a defence against negligence, namely:

• A completeness argument as to why all credible critical safety issues to all affected parties have been identified

• A argument as to why all practicable precautions for each credible critical issue has been identified,

• An argument as to which practicable precautions are reasonable consistent with decisions of the High Court of Australia, and

• The establishment of a safety quality assurance regime to confirm that all reasonably practicable precautions are maintained on an continuing basis.

Such an approach does not mean bad things can’t happen. It means (presuming that the activity is not prohibitively dangerous such that it should not occur at all) that all reasonable practicable precautions for all foreseeable, critical hazards to all affected parties are in place, based on the balance of the significance of the risk vs the effort required to reduce it. This also means that risks should be eliminated or minimised so far as is reasonably practicable (SFAIRP). The 3rd revision of the Guideline outlines the shift from hazard based risk assessment to the precautionary due diligence approach now mandated by most Australian parliaments. Such a change has significant implications for designers, especially in the use of standards that use target levels of risk and safety such as EG(0) Power System Earthing Guide as a design tool. Any design that relies exclusively on a process that is specifically rejected by statute will provide for serious legal difficulties. And in the event of a fatality, a beyond reasonable doubt proof of recklessness would be available, which would be expected to lead to criminal charges for responsible officers of designer PCBUs (person conducting a business or undertaking) under the provisions of the model WHS legislation.

Implications for Designers of the Engineers Australia Safety Case Guideline (3rd Edition)

Documents

Transcript of Implications for Designers of the Engineers Australia Safety Case Guideline (3rd Edition)