What is safe SFAIRP?

Disclaimers:

• This article is focused on safe systems engineering design and may not be applicable to the understanding of SFAIRP in other areas of use. Usage of the content of this article will need to be assessed by the reader and at their own risk.
• This article is focused on the application within Australian law. Readers outside of this jurisdiction will need to assess its applicability to the legislation within their own domains.
• Opinions expressed in this article is my own and is not representative of any organisation or body.
• I am not a lawyer and do not profess to be one. This article uses determinations arising from the products of competent legal professionals, and applies the safe systems engineering aspect to align with required legal expectations.
• We recognise diversity and inclusion. Non-inclusive pronouns in the article reflect either direct quotes or references to case law specific to the defendant's gender.

What is the basis behind safe “so far as is reasonably practicable” (SFAIRP)?

The obligation behind safe SFAIRP is Duty of Care (i.e. the duty to ensure safe so far as is reasonable). Duty of Care and Negligence are related to each other and the law that governs Negligence as a whole, is the Wrongs Act 1958. Therefore, safe SFAIRP is very closely related to the Law of Negligence. In order to understand safe SFAIRP, one must first have the foundation on what the law expects in the domain of Duty of Care and the expected Standard of Care.

In 2002, Treasury commissioned a review into the Law of Negligence with the intention of reforming the tort law aimed at addressing the insurance crisis of the late 1990s and early 2000s. The report, titled "Final Report of the Review of the Law of Negligence" was produced by a panel convened pursuant to a Ministerial Meeting on Public Liability and chaired by the Hon David Ipp (the Ipp Report). This Ipp Report can be found on the Treasury website.

In Chapter 7 of this review report, is the recommendations on Foreseeability, Standard of Care, Causation and Remoteness of Damage. It should be noted that several recommendations for this Chapter were adopted into an amendment to the Wrongs Act 1958 in 2003.

The Ipp Report describes that “the standard of care is often couched in terms of the reasonable person: it is negligent to do what the reasonable person would not do, and not to do what the reasonable person would do”.

The Ipp Report also describes the concept of negligence as having 2 components:

• Foreseeability of the risk of harm – this is relevant to answering the question of whether the reasonable person would have taken any precautions at all
• “Negligence Calculus” – provides a framework for deciding what precautions the reasonable person would have taken.

The following provides an illustration of this topic.

Safe SFAIRP is related to the “Negligence Calculus” in providing an objective determination on whether precautions taken is reasonably practicable.

From this, we will explore briefly on the following elements:

• Reasonable
• Reasonably Foreseeable
• Reasonably Practicable

?Reasonable

What is “Reasonable” is applied from the “Reasonable Person” test. My favourite description of the “Reasonable Person” is obtained from a quote by JM Feinman in his book, Law 101 that I have read from R2A’s booklet on Criminal Manslaughter & How Not To Do It.

"The reasonable person is not any particular person or an average person… The reasonable person looks before he leaps, never pets a strange dog, waits for the airplane to come to a complete stop at the gate before unbuckling his seatbelt, and otherwise engages in the type of cautious conduct that annoys the rest of us… This excellent but odious character stands like a monument in our courts of justice, vainly appealing to his fellow citizens to order their lives after his own example."

J M Feinman (2010), Law 101

It should be noted that what is considered “Reasonable” is determined from Case Law and argued in the Courts. This determination can change and will probably change with time, and can have significant impact on how engineering due diligence needs to be done. As engineers, we will need to upkeep our knowledge on these happenings.

Very often, whether the person has effective control or have the ability to exercise influence over the hazard is a major consideration in determining whether it is reasonable to expect the person to have taken the necessary precautions against a harm.

?Reasonably Foreseeable

“Reasonably Foreseeable” was described in the Ipp Report that it is “often used to convey the idea that the risk is not so improbable that the reasonable person would ignore it”. It follows on to state that

“the High Court in Wyong Shire Council v Shirt (1980) 146 CLR 40 held, in effect, that a person cannot be held liable for failure to take precautions against a risk that could be described as ‘far-fetched or fanciful’, even if it was foreseeable”.

It further states that

“what this amounts to saying is that there are some risks that are of such low probability that the reasonable person would ignore them, regardless of the balance of the other considerations in the negligence calculus — that is, no matter how serious the harm was likely to be if the risk materialised, no matter how cheap or easy it would have been to take precautions that would have prevented the risk materialising, and no matter how socially worthless the risk-creating activity was.”

The IPP Report recommends usage of the term “not insignificant” instead of “far-fetched or fanciful”. This subsequently included as Section 48 in Division 2 of the Wrongs Act 1958 (inserted by No. 102/2003).

There is no prescribed threshold for what is considered as “Not Insignificant”. However, we may be able to use the concept of “peer professional opinion” in the engineering discipline to determine what that threshold is from the wider engineering industry, for the purpose of facilitating engineering due diligence in design. The following are the various hazard rates from various industries:

• Health and Safety Executive (UK) – Guidance on ALARP decision in COMAH: The UK HSE describes a hazard rate of 1 x 10-6 death per annum as Broadly Acceptable. On a per hour basis, this is a hazard rate of 1.14 x 10-10.
• Safe Work Australia - Guide for Major Hazard Facilities: Safety Case: Demonstrating the Adequacy of Safety Management and Control Measures: Safe Work Australia provided the guidance of 0.1 per million per year is considered as broadly tolerable. On a per hour basis, this is a hazard rate of 1.14 x 10-11.
• Airworthiness Manual (Doc 9760) Part V Section 2.6.3: The manual describes a hazard rate of 1x 10-7 on a per hazard basis, with a required hazard rate of 1 x 10-9 performance on a per safety system basis.
• Rail – EN 50129:2018 Annex A: EN 50129 does not describe a required hazard rate, but presents the maximum safety integrity rating, SIL4, at a performance of 1 x 10-9 per hour.
• Design of electronic safety-related systems – AS 61508.1-2011 Section 7.6.2: AS 61508.1 does not describe a required hazard rate, but presents the maximum safety integrity rating, SIL4, at a performance of 1 x 10-9 per hour.

?

While there has not been a specific legal test on these quantified rates, there may be a case to demonstrate due diligence if it these values form the basis of determining where we justify an “Insignificant” risk.

What is clear, however, is that if the hazard rate is not anywhere near these figures, it is “Not Insignificant” and needs to be managed.

It should be noted that the UK HSE describes hazard rates of 1 x 10-3 (workers) and 1 x 10-4 (public) deaths per annum, i.e. equivalent to hazard rate of 1.14 x 10-7 (workers) and 1.14 x 10-8 (public) deaths per hour as “Intolerable” and must be “reduced regardless of cost”.

Reasonably Practicable

This portion is what safe SFAIRP is about.

The definition of “Reasonably Practicable” was widely quote from “Edwards v National Coal Board (1949) and is stated as,

“Reasonably practicable, as traditionally interpreted, is a narrower term than ‘physically possible’ and implies that a computation must be made in which the quantum of risk is placed in one scale and the sacrifice, whether in money, time or trouble involved in the measures necessary to avert the risk is placed in the other; and that, if it be shown that there is a gross disproportion between them, the risk being insignificant in relation to the sacrifice, the person upon who the duty is laid discharges the burden of proving that compliance was not reasonably practicable. This computation falls to be made at a point of time anterior to the happening of the incident complained of.”

Lord Justice Asquith, Edwards v National Coal Board [1949]

This English Case Law was confirmed by the Australian High Court in Slivak v Lurgi (Australia) Pty Ltd (2001) 205 CLR 304 as cited by Bluff & Johnstone (2004) in the article titled “The Relationship Between ‘Reasonably Practicable’ and Risk Management Regulation” (WP 27 ANU National Research Centre for OHS Regulation).

?It should be noted that “Reasonably Practicable” is a computation and not an acceptance of risk nor a risk assessment.

?It should also be noted that the Negligence Calculus identifies 4 points:

1. the probability that the harm would occur if care was not taken;
2. the likely seriousness of that harm
3. the burden of taking precautions to avoid the harm
4. the social utility of the risk-creating activity.

The calculus involves weighing (1) and (2) against (3) and (4)

?

In the same manner, “Reasonably Practicable” is defined in legislation as:

“In this Act, reasonably practicable, in relation to a duty to ensure health and safety, means that which is, or was at a particular time, reasonably able to be done in relation to ensuring health and safety, taking into account and weighing up all relevant matters including:

a) the likelihood of the hazard or the risk concerned occurring; and

b) the degree of harm that might result from the hazard or the risk; and

c) what the person concerned knows, or ought reasonably to know, about:

??????????????? (i) the hazard or the risk; and

??????????????? (ii) ways of eliminating or minimising the risk; and

d) the availability and suitability of ways to eliminate or minimise the risk; and

e) after assessing the extent of the risk and the available ways of eliminating or minimising the risk, the cost associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk.”

This definition of “Reasonably Practicable” is an expansion of the Negligence Calculus into the domain of safety, to provide the framework in facilitating the computation and subsequently demonstrating the gross disproportionality as described by Lord Justice Asquith.

Now that we have established that safe SFAIRP is a calculation, what do we need to do to reach a safe SFAIRP conclusion?

Using the definitions of "Reasonably Practicable" provided in legislation as a framework, and applying due diligence will help. It is also important to note that there is legal definition around "Due Diligence" provided in the Work Health and Safety Act 2011 - Part 2, Division 4 (27).

"In this section, due diligence includes taking reasonable steps:

(a) to acquire and keep up-to-date knowledge of work health and safety matters; and

(b) to gain an understanding of the nature of the operations of the business or undertaking of the person conducting the business or undertaking and generally of the hazards and risks associated with those operations; and

(c) to ensure that the person conducting the business or undertaking has available for use, and uses, appropriate resources and processes to eliminate or minimise risks to health and safety from work carried out as part of the conduct of the business or undertaking; and

(d) to ensure that the person conducting the business or undertaking has appropriate processes for receiving and considering information regarding incidents, hazards and risks and responding in a timely way to that information; and

(e) to ensure that the person conducting the business or undertaking has, and implements, processes for complying with any duty or obligation of the person conducting the business or undertaking under this Act; and

(f) to verify the provision and use of the resources and processes referred to in paragraphs (c) to (e)."

What is considered as "appropriate resources and processes" depends highly on the situation at hand. In deciding what processes and resources to apply, and how they are being applied, the engineering designer would need to be mindful of the due diligence expectations required as described above.

The following sections discusses the resources and processes that is available in the industry for each clause in the definition of "Reasonably Practicable" provided in legislation.

It should be noted that the lists provided is not exhaustive.

a) the likelihood of the hazard or the risk concerned occurring

Available methods of determination include:

• Fault Tree Analysis – AS IEC 61025
• Event Tree Analysis – AS IEC 62502
• Reliability Block Diagram – AS IEC 61078
• Historical Data analysed by statistical distribution probability – Normal, Poisson, Binomial, Exponential, Logarithmic, Weibull, etc.
• Engineering Judgement

b) the degree of harm that might result from the hazard or the risk

Available methods of determination include:

• Historical Data analysed by statistical distribution probability – Normal, Poisson, Binomial, Exponential, Logarithmic, Weibull, etc.
• Hazard and Operability Study (HAZOP) – AS IEC 61882
• Failure Modes, Effects and Criticality Analysis (FMECA) – AS IEC 60812
• Engineering Judgement

c) what the person concerned knows, or ought reasonably to know, about: (i) the hazard or the risk; and (ii) ways of eliminating or minimising the risk

Available methods of determination include:

• Workshops
• Consultation
• Risk Assessments
• Market Research
• Historical occurrences
• Contemporary method
• Other industries
• Australian Standards/International Standards
• Industry publications, including scientific, academic and technical literature

d) the availability and suitability of ways to eliminate or minimise the risk

Available methods of determination include:

• Workshops
• Consultation
• Product specifications
• Market Research

Main points of consideration on availability and suitability include:

• Is there “Control”?
• Is there capacity to influence?
• Effectiveness
• Logistically suitable
• Technically suitable
• Environmentally suitable
• Introduction of another higher risk

It should be noted that Clause 17 of the Work Health and Safety Act 2011 requires that considerations for ways to eliminate the hazard needs to be determined as not reasonably practicable before minimising the risks to the hazard is considered:

“A duty imposed on a person to ensure health and safety requires the person:

a) to eliminate risks to safety so far as is reasonably practicable; and

b) if it is not reasonably practicable to eliminate risks to health and safety, to minimise those risks so far as is reasonably practicable."

e) after assessing the extent of the risk and the available ways of eliminating or minimising the risk, the cost associated with available ways of eliminating or minimising the risk, including whether the cost is grossly disproportionate to the risk.

Available resources to facilitate determination include:

• Safety Cost Benefit Analysis – UK Health and Safety Executive CBA Checklist
• Disproportionate Factor – Sizewell B Public Inquiry
• Value of Statistical Life – Office of Impact Analysis, Prime Minister’s Office
• Fatality Weighted Injury – RISSB/ONRSR (200:10:1 weighting)
• Lifecycle Cost Analysis – AS 4536

Safe SFAIRP Conclusion

When all the above steps have been explored and discussed, there needs to be a argument to establish the professional opinion that a safe SFAIRP outcome has been reached. This should be based on how all the treatments that are available and suitable, taken together, amounts to a safe SFAIRP position.

Why the debate/discussion/argument on the differences between safe ALARP and SFAIRP?

After many discussions, it is my hypothesis that this arises from the difference in likelihood used in various organisations and industries.

In some organisations/industries, the engineers are trained to a risk matrix that has the lowest likelihood rate in the region of 1 in 100,000 years, i.e. 1 x 10-9. It looks like in these organisations, risk is managed to the not “reasonably foreseeable” stage such that it is considered reasonable to leave the hazard at that point.

In other organisations/industries, the engineers are trained to a risk matrix that has the lowest likelihood rate in the region of 1 in 1000 years or even less, i.e. 1 x 10-7. So, these engineers are then conditioned to be always at the point of determining “reasonably practicable” and not reaching the point where the hazard is not “reasonably foreseeable”.

And in some organisations/industries, the Engineering design hazard management gets mixed up into the corporate/enterprise risk and engineering design work is then only managed to the depth of corporate safety risks, which may only reach 1 in 20 or 1 in 100 years.

It is therefore, my hypothesis that these differences in likelihoods has, over time, affected how the engineers have been taught and trained, creating the differences in opinion on what constitutes safe SFAIRP or ALARP, and the depth in which the risks are managed until.

With this understanding, I feel that there is no difference between SFAIRP and ALARP in the intent of the terms. However, there is a difference in its practice, not because of its term, but because of the effect different industries have with different working likelihoods ranges, resulting in inconsistent training without foundational understanding.

This situation is then exacerbated by a cookie cutter approach of learning to apply procedure without understanding the rationales behind the procedure.

?

Article Conclusion

It is my hope that this article explains what safe SFAIRP is and its relationship to Duty of Care and the Law on Negligence. I hope that it provides a deeper understanding of the rationale behind safe SFAIRP, moving beyond a "cookie cutter" approach to risk management processes. This would help bridge the gap between different engineering practices and achieve a more consistent approach to risk management.

?